网络工程 - Openswan 站点到站点 VPN -- 无法响应 IPsec SA 请求，因为没有已知连接 - 吾爱随笔录

Openswan 站点到站点 VPN -- 无法响应 IPsec SA 请求，因为没有已知连接

网络工程思科虚拟专用网网络安全隧道

2021-07-22 19:06:08

我正在运行 Openswan 的 Linux 系统和 Cisco ASA 5505 之间设置 ISPEC 隧道。奇怪的是，我相信隧道出现了（基于下面的屏幕截图），但我无法让流量通过。我想知道 LAN 作为 Openswan 系统上的 Loopback 接口是否有问题。

总之，ASA 端（2.2.2.2）具有 LAN 192.168.0.0/24，Openswan 端（1.1.1.1）具有 LAN 172.16.255.1/32，它是 Openwan 系统上的环回接口。

我收到以下错误，并且相当有信心它与此行有关：

"L2L-IPSEC" #1: cannot respond to IPsec SA request because no connection is known for 172.16.255.1/32===1.1.1.1<1.1.1.1>[+S=C]:1/0...2.2.2.2<2.2.2.2>[+S=C]:1/0===192.168.0.0/24

Openswan 输出

"L2L-IPSEC" #1: initiating Main Mode
"L2L-IPSEC" #1: received Vendor ID payload [RFC 3947] method set to=109
"L2L-IPSEC" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
"L2L-IPSEC" #1: enabling possible NAT-traversal with method 4
"L2L-IPSEC" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
"L2L-IPSEC" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"L2L-IPSEC" #1: received Vendor ID payload [Cisco-Unity]
"L2L-IPSEC" #1: received Vendor ID payload [XAUTH]
"L2L-IPSEC" #1: ignoring unknown Vendor ID payload [4fbc775ddcc5a56a715d9fb1a2c92d6a]
"L2L-IPSEC" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
"L2L-IPSEC" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
"L2L-IPSEC" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
"L2L-IPSEC" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"L2L-IPSEC" #1: received Vendor ID payload [Dead Peer Detection]
| protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
"L2L-IPSEC" #1: Main mode peer ID is ID_IPV4_ADDR: '68.99.157.15'
"L2L-IPSEC" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
"L2L-IPSEC" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
"L2L-IPSEC" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:58792b0d proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
"L2L-IPSEC" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=58792b0d
"L2L-IPSEC" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"L2L-IPSEC" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6b58a97a <0x359aa18e xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
"L2L-IPSEC" #1: the peer proposed: 172.16.255.1/32:0/0 -> 192.168.0.0/24:0/0
"L2L-IPSEC" #1: cannot respond to IPsec SA request because no connection is known for 172.16.255.1/32===1.1.1.1<1.1.1.1>[+S=C]:1/0...2.2.2.2<2.2.2.2>[+S=C]:1/0===192.168.0.0/24
"L2L-IPSEC" #1: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:500

思科输出：

Apr 08 2014 09:02:25: %ASA-3-713902: Group = 1.1.1.1, IP = 1.1.1.1, QM FSM error (P2 struct &0xcc6e8cf8, mess id 0xd6971887)!
Apr 08 2014 09:02:25: %ASA-3-713902: Group = 1.1.1.1, IP = 1.1.1.1, Removing peer from correlator table failed, no match!
Apr 08 2014 09:02:25: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= outside-cmap.  Map Sequence Number = 40.

asa# show crypto ikev1 sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 1.1.1.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

asa# show crypto ipsec sa
interface: outside
    Crypto map tag: outside-cmap, seq num: 40, local addr: 2.2.2.2

      access-list VPN-TRAFFIC-VPS1 extended permit ip 192.168.0.0 255.255.255.0 host 172.16.255.1
      local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.255.1/255.255.255.255/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 529934CE
      current inbound spi : CFD6928B

    inbound esp sas:
      spi: 0xCFD6928B (3486945931)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 917504, crypto-map: outside-cmap
         sa timing: remaining key lifetime (kB/sec): (4374000/28735)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x529934CE (1385772238)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 917504, crypto-map: outside-cmap
         sa timing: remaining key lifetime (kB/sec): (4374000/28735)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Openswan /etc/network/interfaces：

 auto lo
  iface lo inet loopback

 auto lo:1
  iface lo:1 inet static
    address 172.16.255.1
    netmask 255.255.255.255

 auto eth0
  iface eth0 inet static
   address 1.1.1.1
   gateway 1.1.1.254
   netmask 255.255.255.0
   dns-nameservers 8.8.8.8 8.8.4.4

Openswan 配置：

config setup
        listen=1.1.1.1
        dumpdir=/var/run/pluto
        nat_traversal=yes #pretty sure this isn't needed
        virtual_private=%v4:192.168.0.0/24
        oe=off
        protostack=netkey

conn L2L-IPSEC
        authby=secret #use shared secret
        auto=start #automatically start if detected
        type=tunnel #tunnel mode/not transport

        ###THIS SIDE###
        left=1.1.1.1
        leftsubnet=172.16.255.1/32
        leftsourceip=172.16.255.1

        ###PEER SIDE###
        right=2.2.2.2
        rightsubnet=192.168.0.0/24

        #phase 1 encryption-integrity-diffhellman
        keyexchange=ike
        ike=3des-md5-modp1024,aes256-sha1-modp1024
        ikelifetime=86400s

        #phase 2 encryption-pfsgroup
        phase2=esp #esp for encryption | ah for authentication only
        phase2alg=aes256-sha1;modp1024
        pfs=no

思科 ASA 配置：

crypto ipsec ikev1 transform-set vps1TS esp-aes-256 esp-sha-hmac

crypto map outside-cmap 40 match address VPN-TRAFFIC-VPS1
crypto map outside-cmap 40 set peer 1.1.1.1
crypto map outside-cmap 40 set ikev1 transform-set vps1TS
crypto map outside-cmap interface outside

crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 2
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

 access-list VPN-TRAFFIC-VPS1; 2 elements; name hash: 0xa6c3fa81
access-list VPN-TRAFFIC-VPS1 line 1 extended permit icmp object inside-network object vps1-network (hitcnt=3183) 0xed457442
  access-list VPN-TRAFFIC-VPS1 line 1 extended permit icmp 192.168.0.0 255.255.255.0 host 172.16.255.1 (hitcnt=3183) 0xed457442
access-list VPN-TRAFFIC-VPS1 line 2 extended permit ip object inside-network object vps1-network (hitcnt=88) 0xbddc26cf
  access-list VPN-TRAFFIC-VPS1 line 2 extended permit ip 192.168.0.0 255.255.255.0 host 172.16.255.1 (hitcnt=88) 0xbddc26cf


object network inside-network
 subnet 192.168.0.0 255.255.255.0

object network vps1-network
 subnet 172.16.255.1 255.255.255.255

nat (inside,outside) source static inside-network inside-network destination static vps1-network vps1-network

2个回答

看来问题确实出在您的 Openswan 服务器上。ASA 输出中的这些行表示防火墙从未通过 VPN 收到任何数据包：

  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

（来自命令“show ipsec sa”）

抱歉，我不太了解 Openswan（或根本不了解），因此我无法就此提供任何建议。:(

自从我上次查看此内容以来，您似乎添加了更多调试输出。我不知道这是否仍然是一个问题，但如果是这样，问题就在这里确定：

"L2L-IPSEC" #1: the peer proposed: 172.16.255.1/32:0/0 -> 192.168.0.0/24:0/0
"L2L-IPSEC" #1: cannot respond to IPsec SA request because no connection is known for 172.16.255.1/32===1.1.1.1<1.1.1.1>[+S=C]:1/0...2.2.2.2<2.2.2.2>[+S=C]:1/0===192.168.0.0/24
"L2L-IPSEC" #1: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:500

这是来自您的 Opanswan 输出。这告诉您配置的“加密域”（或“有趣的流量”或其他此类术语）不匹配。一方提出一套网络，另一方期待另一套网络。

这也可能是双方“身份”部分的问题。我不确定如何在 Openswan 中检查它（或者更确切地说，如何检查“身份”部分的配置），但在 ASA 上，您会想要查找看起来像“crypto isakmp identity”或潜在的行如果您运行的是 8.4+，则为“加密 ikev1 身份”。

其它你可能感兴趣的问题

上一篇DMVPN EIGRP 配置错误 - 没有 EIGRP Hello 数据包发送接口下一篇尝试在 Force10 S25 交换机之间传递 VLAN