我正在尝试在 Cisco ASA 和瞻博网络 SRX 之间创建基于路由的 VPN 连接,但是我遇到了 ACL 和代理 ID 的问题。Cisco ASA 日志指出
[IKEv1]Group = A.A.A.A, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy B.B.B.B/255.255.255.0/6/0 local proxy Z.Z.Z.Z/255.255.255.255/6/22 on interface comcastpublic
我不知道如何制作 BBBB/255.255.255.0/6/22 以及问题出在哪里。目的是仅通过此 VPN传递SSH 流量。
符号:
AAAA - 瞻博网络公共 IP
BBBB - 瞻博网络私有 IP
YYYY - 思科公共 IP
ZZZZ - 思科私有 IP
瞻博网络 SRX 配置:
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address A.A.A.A/26;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address B.B.B.1/24;
}
}
}
st0 {
unit 0 {
multipoint;
family inet {
next-hop-tunnel 10.10.10.1 ipsec-vpn ipsec-vpn-1-cfgr;
next-hop-tunnel 10.10.10.3 ipsec-vpn ipsec-vpn-2-cfgr;
address 10.10.10.2/24;
}
}
unit 1 {
point-to-point;
family inet {
next-hop-tunnel 10.10.10.4 ipsec-vpn ipsec-vpn-remote-cfgr;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop A.A.A.1;
route B.B.1.0/24 next-hop 10.10.10.1;
route B.B.3.0/24 next-hop 10.10.10.3;
route Z.Z.Z.Z/32 next-hop st0.1;
}
}
security {
ike {
traceoptions {
file size 1m;
flag ike;
flag next-hop-tunnels;
flag all;
}
proposal ike-proposal-cfgr {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
policy ike-policy-remote-cfgr {
mode main;
proposals ike-proposal-cfgr;
pre-shared-key ascii-text "********";
}
gateway ike-gate-remote-cfgr {
ike-policy ike-policy-remote-cfgr;
address Y.Y.Y.Y;
external-interface fe-0/0/0.0;
}
}
ipsec {
traceoptions {
flag all;
}
proposal ipsec-proposal-remote-cfgr {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
lifetime-kilobytes 28800;
}
policy ipsec-policy-remote-cfgr {
proposals ipsec-proposal-remote-cfgr;
}
vpn ipsec-vpn-remote-cfgr {
bind-interface st0.1;
vpn-monitor {
optimized;
}
ike {
gateway ike-gate-remote-cfgr;
proxy-identity {
local B.B.B.B/24;
remote Z.Z.Z.Z/32;
service junos-ssh;
}
ipsec-policy ipsec-policy-remote-cfgr;
}
establish-tunnels immediately;
}
}
alg {
traceoptions {
file alg.log size 100000 files 2;
}
dns disable;
msrpc disable;
rsh disable;
sql disable;
}
flow {
tcp-mss {
all-tcp {
mss 1400;
}
ipsec-vpn {
mss 1350;
}
}
tcp-session {
no-syn-check;
no-syn-check-in-tunnel;
no-sequence-check;
}
}
policies {
from-zone guest to-zone remote {
policy local-to-spokes {
match {
source-address net-cfgr_B-B-B-B--24;
destination-address net-cfgr_Z-Z-Z-Z--32;
application junos-ssh;
}
then {
permit;
}
}
}
from-zone remote to-zone guest {
policy spokes-to-local {
match {
source-address net-cfgr_Z-Z-Z-Z--32;
destination-address net-cfgr_B-B-B-B--24;
application junos-ssh;
}
then {
permit;
}
}
}
}
zones {
security-zone remote {
address-book {
address net-cfgr_Z-Z-Z-Z--32 Z.Z.Z.Z/32;
}
interfaces {
st0.1;
}
}
security-zone guest {
address-book {
address net-cfgr_B-B-B-B--24 B.B.B.B/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
fe-0/0/7.0;
}
}
}
}
思科 ASA 配置:
ASA Version 9.0(2)
!
interface GigabitEthernet0/0
nameif comcastpublic
ip address Y.Y.Y.Y
!
object network VPNPC
host Z.Z.Z.Z
description VPN PC S2S
object network REMOTE
subnet B.B.B.B 255.255.255.0
access-list comcastpublic_access_in extended permit object SSH object VPNPC object REMOTE
access-list comcastpublic_cryptomap_3 extended permit tcp object VPNPC object REMOTE eq ssh
nat (private,comcastpublic) source static VPNPC VPNPC destination static REMOTE REMOTE no-proxy-arp route-lookup
nat (comcastpublic,private) source static any any destination static
!
nat (private,comcastpublic) after-auto source dynamic any interface dns
access-group comcastpublic_access_in in interface comcastpublic
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map comcastpublic_map 4 match address comcastpublic_cryptomap_3
crypto map comcastpublic_map 4 set peer A.A.A.A
crypto map comcastpublic_map 4 set ikev1 transform-set ESP-3DES-SHA
crypto map comcastpublic_map 4 set ikev2 ipsec-proposal 3DES
crypto map comcastpublic_map 4 set security-association lifetime seconds 86400
crypto map comcastpublic_map 4 set security-association lifetime kilobytes 28800
crypto map comcastpublic_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map comcastpublic_map interface comcastpublic
crypto ikev2 policy 2
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 28800
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable comcastpublic
crypto ikev1 enable comcastpublic
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 8
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!
group-policy GroupPolicy_A.A.A.A internal
group-policy GroupPolicy_A.A.A.A attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group A.A.A.A type ipsec-l2l
tunnel-group A.A.A.A general-attributes
default-group-policy GroupPolicy_A.A.A.A
tunnel-group A.A.A.A ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
思科日志:
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Received local Proxy Host data in ID Payload: Address Z.Z.Z.Z, Protocol 6, Port 22
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, QM IsRekeyed old sa not found by addr
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 1...
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 1, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 2...
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 2, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 3...
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 3, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 4...
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 4, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, checking map = comcastpublic_map, seq = 5...
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Static Crypto Map check, map = comcastpublic_map, seq = 5, ACL does not match proxy IDs src:B.B.B.B dst:Z.Z.Z.Z
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Skipping dynamic map SYSTEM_DEFAULT_CRYPTO_MAP sequence 65535: cannot match peerless map when peer found in previous map entry.
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy B.B.B.B/255.255.255.0/6/0 local proxy Z.Z.Z.Z/255.255.255.255/6/22 on interface comcastpublic
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, sending notify message
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, constructing blank hash payload
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, constructing qm hash payload
Aug 05 05:19:23 [IKEv1]IP = A.A.A.A, IKE_DECODE SENDING Message (msgid=d07c313e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 216
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, QM FSM error (P2 struct &0x00007fffa28c2920, mess id 0x5ef38480)!
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, IKE QM Responder FSM error history (struct &0x00007fffa28c2920) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message
Aug 05 05:19:23 [IKEv1]Group = A.A.A.A, IP = A.A.A.A, Removing peer from correlator table failed, no match!
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, IKE SA MM:f4ec0f2f rcv'd Terminate: state MM_ACTIVE flags 0x00010042, refcnt 1, tuncnt 0
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, IKE SA MM:f4ec0f2f terminating: flags 0x01010002, refcnt 0, tuncnt 0
Aug 05 05:19:23 [IKEv1 DEBUG]Group = A.A.A.A, IP = A.A.A.A, sending delete/delete with reason message
有人可以帮忙解决这个问题吗?