当我尝试建立一个 ipsec 站点到站点 vpn 时,我收到此错误:
PSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC: New embryonic SA created @ 0x00007fffa372dc60,
SCB: 0x9C3EF830,
Direction: inbound
SPI : 0x17951BCF
Session ID: 0x00AA2000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1,
saddr=10.0.100.2, sport=45638, daddr=192.168.120.100, dport=45638
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 10: matched.
Jul 24 08:20:49 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.0.100.2, sport=45638, daddr=192.168.120.100, dport=45638
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 10: matched.
Jul 24 08:20:50 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.0.100.2, sport=45638, daddr=192.168.120.100, dport=45638
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 10: matched.
Jul 24 08:20:51 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=10.0.100.2, sport=45638, daddr=192.168.120.100, dport=45638
IPSEC(crypto_map_check)-3: Checking crypto map outside_map 10: matched.
Jul 24 08:20:52 [IKE COMMON DEBUG]Duplicate entry already in Tunnel Manager
Jul 24 08:21:20 [IKE COMMON DEBUG]IKEv1 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 10.
Jul 24 08:21:20 [IKE COMMON DEBUG]Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 10.
Jul 24 08:21:20 [IKE COMMON DEBUG]Tunnel Manager Removed entry. Map Tag = outside_map. Map Sequence Number = 10.
IPSEC: Received a PFKey message from IKE
IPSEC: Destroy current inbound SPI: 0x17951BCF
它永远不会到达 Phase 1 succeed
FWASA(config)# show isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 217.117.146.118
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
我该如何解决这个问题?
这是我的配置
ASA Version 8.6(1)2
!
hostname FW-VPN-IPS
domain-name name.sn
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.100.254 255.255.255.0
!
boot system disk0:/asa861-2-smp-k8.bin
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Remote-ASA
host 217.X.X.X
object network RA-VPN-local
subnet 10.0.100.0 255.255.255.0
object network Remote-servers
host 192.168.120.100
access-list Security-ACL extended permit ip 10.0.100.0 255.255.255.0 host 192.168.120.100
access-list Security-ACL extended permit ip host 192.168.120.100 10.0.100.0 255.255.255.0
access-list Interesting-traffic extended permit ip 10.0.100.0 255.255.255.0 host 192.168.120.100
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 10 burst-size 10
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (outside,outside) source static RA-VPN-local RA-VPN-local destination static Remote-servers Remote-servers no-proxy-arp route-lookup
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set TRANS1 esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal 3DES-SHA
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption 3des
protocol esp integrity sha-1
crypto map OUTSIDE_map 10 set security-association lifetime seconds 28800
crypto map map002 3 match address Interesting-traffic
crypto map map002 3 set peer 217.X.X.X
crypto map map002 3 set ikev2 ipsec-proposal 3DES-SHA
crypto map outside_map 10 match address Interesting-traffic
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 217.X.X.X
crypto map outside_map 10 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 10 set ikev2 ipsec-proposal 3DES-SHA DES 3DES AES AES192 AES256
secure
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp disconnect-notify
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 enable inside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
console timeout 0
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-clientless
group-policy RA-VPN-Group internal
group-policy RA-VPN-Group attributes
vpn-filter value Security-ACL
vpn-tunnel-protocol ikev1
pfs enable
group-policy L2L-policy internal
group-policy L2L-policy attributes
vpn-filter value Security-ACL
vpn-tunnel-protocol ikev2
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive disable
tunnel-group 217.X.X.X type ipsec-l2l
tunnel-group 217.X.X.X general-attributes
default-group-policy L2L-policy
tunnel-group 217.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
no tunnel-group-map enable ou
tunnel-group-map default-group 217.X.X.X
!