网络工程 - Cisco IOS 路由器和 Perle IOLAN SCS 32 之间的 ipsec 隧道 - 吾爱随笔录

我无法在具有固件 4.5 的 Perle IOLAN SCS 32 和具有 IOS XE 15.3 的 Cisco ASR 1001 之间建立和运行 IPsec 隧道 - 它在第 2 阶段失败，建议无效

是否有一些正确的示例 - 定义一个可以被 IOLAN 接受的可用 IPsec 转换集？

请参阅 - IOLAN 支持此 IKE1 和 2 提案：

IKE Phase 1 Proposals
The following IKE Phase 1 proposals are supported by the IOLAN VPN gateway:
Ciphers—3DES, AES
Hashes—MD5, SHA1
Diffie-Hellman Groups—2 (MODP1024), 5 (MODP1536), 14 (MODP2048), 15 (MODP3072), 16 (MODP4096), 17 (MODP6144), 18 (MODP8192)
ESP Phase 2 Proposals
The following ESP Phase 2 proposals are supported by the IOLAN VPN gateway:
Ciphers—3DES, AES
Authentication Algorithms—MD5, SHA1, SHA2

and the vpn tunnel must be in "tunnel mode" 
perfect forward secrecy: no
protocol: ESP
mode: tunnel (not transport)
opportunistic encryption: no
aggressive mode: no

我有一个 ASR 1001，为客户提供专用的 fvrf 和 ivrf - 它进入共享的互联网 vrf 并放入单独的 vrf (dmz_iolan)

ike 阶段 1 似乎协商正确，但 ike 阶段 2 没有 - 这是密码图：

crypto map IPSECMAP2 3003 ipsec-isakmp 
 set peer 195.41.107.40
 set transform-set IOLAN-STD 
 set reverse-route distance 100
 set isakmp-profile IOLAN-PROF
 match address iolan01-acl
 reverse-route static
!

crypto isakmp profile IOLAN-PROF
   vrf DMZ_SCS
   keyring IPSEC-KEY2
   match identity address 195.41.107.40 255.255.255.255 INTERNET2

和我目前的 IPsec 提议

crypto ipsec transform-set IOLAN-STD esp-3des 
 mode tunnel
!

和一些调试

ec 15 14:11:48.907: ISAKMP (45255): received packet from 195.41.107.40 dport 500 sport 500 INTERNET2 (R) QM_IDLE
Dec 15 14:11:48.907: ISAKMP: set new node 2045930127 to QM_IDLE
Dec 15 14:11:48.908: ISAKMP:(45255): processing HASH payload. message ID = 2045930127
Dec 15 14:11:48.908: ISAKMP:(45255): processing SA payload. message ID = 2045930127
Dec 15 14:11:48.908: ISAKMP:(45255):Checking IPSec proposal 0
Dec 15 14:11:48.908: ISAKMP: transform 0, ESP_AES
Dec 15 14:11:48.908: ISAKMP:   attributes in transform:
Dec 15 14:11:48.908: ISAKMP:      encaps is 1 (Tunnel)
Dec 15 14:11:48.908: ISAKMP:      SA life type in seconds
Dec 15 14:11:48.908: ISAKMP:      SA life duration (basic) of 28800
Dec 15 14:11:48.908: ISAKMP:      authenticator is HMAC-SHA
Dec 15 14:11:48.908: ISAKMP:(45255):atts are acceptable.
Dec 15 14:11:48.908: ISAKMP:(45255):Checking IPSec proposal 0
Dec 15 14:11:48.908: ISAKMP: transform 1, ESP_AES
Dec 15 14:11:48.908: ISAKMP:   attributes in transform:
Dec 15 14:11:48.908: ISAKMP:      encaps is 1 (Tunnel)
Dec 15 14:11:48.908: ISAKMP:      SA life type in seconds
Dec 15 14:11:48.908: ISAKMP:      SA life duration (basic) of 28800
Dec 15 14:11:48.908: ISAKMP:      authenticator is HMAC-MD5
Dec 15 14:11:48.908: ISAKMP:(45255):atts are acceptable.
Dec 15 14:11:48.908: ISAKMP:(45255):Checking IPSec proposal 0
Dec 15 14:11:48.908: ISAKMP: transform 2, ESP_3DES
Dec 15 14:11:48.908: ISAKMP:   attributes in transform:
Dec 15 14:11:48.908: ISAKMP:      encaps is 1 (Tunnel)
Dec 15 14:11:48.908: ISAKMP:      SA life type in seconds
Dec 15 14:11:48.908: ISAKMP:      SA life duration (basic) of 28800
Dec 15 14:11:48.908: ISAKMP:      authenticator is HMAC-SHA
Dec 15 14:11:48.908: ISAKMP:(45255):atts are acceptable.
Dec 15 14:11:48.908: ISAKMP:(45255):Checking IPSec proposal 0
Dec 15 14:11:48.908: ISAKMP: transform 3, ESP_3DES
Dec 15 14:11:48.908: ISAKMP:   attributes in transform:
Dec 15 14:11:48.908: ISAKMP:      encaps is 1 (Tunnel)
Dec 15 14:11:48.908: ISAKMP:      SA life type in seconds
Dec 15 14:11:48.908: ISAKMP:      SA life duration (basic) of 28800
Dec 15 14:11:48.908: ISAKMP:      authenticator is HMAC-MD5
Dec 15 14:11:48.908: ISAKMP:(45255):atts are acceptable.
Dec 15 14:11:48.908: ISAKMP:(45255): IPSec policy invalidated proposal with error 256
Dec 15 14:11:48.910: ISAKMP:(45255): IPSec policy invalidated proposal with error 256
Dec 15 14:11:48.912: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: