Cisco IPSEC VPN 失败第 2 阶段

网络工程 思科 虚拟专用网 网络安全
2021-07-15 05:05:35

HUB 在数据中心管理,外部 IP 为 200.200.200.200。有10个远程办公室。

Office 9                                    HUB
10.1.9.0 - 100.100.100.100 ->>  VPN   <<- 200.200.200.200 - 10.1.1.0

仅在 office 9 中,从 ADSL 升级到 EFM 并将 Cisco 887 替换为 Cisco 1812(均运行 IOS 12.4)。复制配置,替换互联网连接详细信息。

不确定是否相关,但 EFM 提供商安装的 1812 连接也有一个桥接模式路由器。

现在 ISAKMP 已连接

MYCISCO#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst              src              state          conn-id slot status
100.100.100.100  200.200.200.200  MM_NO_STATE       2262    0 ACTIVE (deleted)

但是第 2 阶段 IPSEC SA 不会出现。日志产生错误:

  • 身份不支持转换提议
  • IPSec 策略使提议无效,错误 256
  • 第 2 阶段 SA 政策不可接受!

从显示日志:

*Apr  2 21:44:09.198: ISAKMP:(2125):Old State = IKE_QM_READY  New State = IKE_QM_READY
*Apr  2 21:44:12.246: ISAKMP (0:2125): received packet from 200.200.200.200 dport 500 sport 500 Global (I) QM_IDLE
*Apr  2 21:44:12.246: ISAKMP: set new node -505694825 to QM_IDLE
*Apr  2 21:44:12.246: crypto_engine: Decrypt IKE packet
*Apr  2 21:44:12.246: crypto_engine: Generate IKE hash
*Apr  2 21:44:12.246: ISAKMP:(2125): processing HASH payload. message ID = -505694825
*Apr  2 21:44:12.246: ISAKMP:(2125): processing SA payload. message ID = -505694825
*Apr  2 21:44:12.246: ISAKMP:(2125):Checking IPSec proposal 0
*Apr  2 21:44:12.246: ISAKMP: transform 0, ESP_AES
*Apr  2 21:44:12.246: ISAKMP:   attributes in transform:
*Apr  2 21:44:12.246: ISAKMP:      group is 5
*Apr  2 21:44:12.246: ISAKMP:      encaps is 1 (Tunnel)
*Apr  2 21:44:12.246: ISAKMP:      SA life type in seconds
*Apr  2 21:44:12.246: ISAKMP:      SA life duration (basic) of 28800
*Apr  2 21:44:12.246: ISAKMP:      authenticator is HMAC-SHA
*Apr  2 21:44:12.246: ISAKMP:      key length is 128
*Apr  2 21:44:12.246: CryptoEngine0: validate proposal
*Apr  2 21:44:12.246: ISAKMP:(2125):atts are acceptable.
*Apr  2 21:44:12.246: IPSEC(validate_proposal_request): proposal part #1
*Apr  2 21:44:12.246: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 100.100.100.100, remote= 200.200.200.200,
    local_proxy= 10.1.9.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Apr  2 21:44:12.246: Crypto mapdb : proxy_match
        src addr     : 10.1.9.0
        dst addr     : 10.1.1.0
        protocol     : 0
        src port     : 0
        dst port     : 0
*Apr  2 21:44:12.246: IPSEC(crypto_ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes esp-sha-hmac }
*Apr  2 21:44:12.246: ISAKMP:(2125): IPSec policy invalidated proposal with error 256
*Apr  2 21:44:12.246: ISAKMP:(2125): phase 2 SA policy not acceptable! (local 100.100.100.100 remote 200.200.200.200)

我的配置:

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MYCISCO
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone AEST 10
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip gratuitous-arps
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.9.1 10.1.9.99
!
ip dhcp pool VLAN1
   import all
   network 10.1.9.0 255.255.255.0
   default-router 10.1.9.254
   domain-name MYDOMAIN.COM
   dns-server 8.8.8.8
!
!
ip tcp path-mtu-discovery
no ip bootp server
no ip domain lookup
ip domain name MYDOMAIN.COM
ip name-server 8.8.8.8
!
password encryption aes
crypto pki token default removal timeout 0
!
!
!
no spanning-tree vlan 1
no spanning-tree vlan 2
username ADMINUSERNAME password 0 ADMINPASSWORD
archive
 log config
  hidekeys
!
!
!
crypto isakmp policy 3
 encr aes
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp key PRESHAREDKEY address 200.200.200.200 no-xauth
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec transform-set myset1 esp-des esp-md5-hmac
crypto ipsec transform-set myset2 esp-3des esp-md5-hmac
crypto ipsec transform-set myset3 esp-aes 256
crypto ipsec transform-set myset4 esp-aes 256 esp-md5-hmac
crypto ipsec transform-set myset5 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
 set peer 200.200.200.200
 set security-association lifetime seconds 28800
 set transform-set myset myset1 myset2 myset3 myset4 myset5
 match address 110
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface FastEthernet0
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no shutdown
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 description Internal Network
 ip address 10.1.9.254 255.255.255.0
 ip verify unicast reverse-path
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 load-interval 30
!

 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip flow ingress
 ip nat outside
 ip virtual-reassembly in

interface Dialer0
no ip redirects
no ip unreachables
no ip proxy-arp

 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 ppp chap hostname CHAP@HOST.COM
 ppp chap password 0 CHAPPASSWORD
 ppp pap sent-username PAP@HOST.COM password 0 PAPPASSWORD
 ppp ipcp dns request accept
 crypto map clientmap
!

!
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 remark IP Addresses Permitted to login via ssh and telnet
access-list 1 permit 200.200.200.200
access-list 1 permit 10.1.9.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 deny   any
access-list 3 remark NTP Server addresses
access-list 3 permit X.X.X.X
access-list 4 remark Deny All
access-list 4 deny   any
access-list 102 remark NAT
access-list 102 deny   ip 10.1.9.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 102 permit ip 10.1.9.0 0.0.0.255 any

access-list 110 remark VPN 
access-list 110 permit ip 10.1.9.0 0.0.0.255 10.1.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
!
line con 0
 password CONPASSWORD
line aux 0
 access-class 4 in
line vty 0 4
 access-class 1 in
 exec-timeout 500 0
 privilege level 3
 password VTYPASSWORD
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
ntp access-group peer 3
ntp access-group serve 4
ntp master
ntp server X.X.X.X
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

我怀疑访问列表设置,但这与其他 9 个办公室相同,提供 HUB 端的网络支持团队查看了所有设置。

感谢您的意见!

1个回答

访问列表在这里不是问题。

show cypro isakmp sa 的输出告诉您密钥协商失败 (MM_NO_STATE)。

日志条目说集线器想要使用您不支持的转换集(esp-aes、esp-sha-hmac)。路由器上的任何转换集都不包括 esp-aes、esp-sha-hmac。

我建议您将其添加到转换列表中。当你在做的时候,除非你真的需要其他人(myset1-5),否则你最好把它们拿出来。

您的新套装将是:

crypto ipsec transform-set mynewset esp-aes esp-sha-hmac
其它你可能感兴趣的问题
上一篇速率限制特定的 Cisco ISR 系统日志消息 下一篇瞻博网络 MX-5 EOPE Drop Pkt Cnt 递增