Azure VPN 与 Cisco ASA

网络工程 思科 虚拟专用网 网络安全 艾克
2021-07-22 16:49:43

我有一个带有 v9.7(1)21 的 Cisco 5516-x,我正在尝试为 Azure 创建一个有效的 VPN。在我看来,阶段 1 进展顺利,但阶段 2 由于政策不匹配而失败。

关于如何更改 Azure 和/或 ASA 配置以使其正常工作的任何建议?

感谢您提供有关如何解决此问题的任何建议!

调试:

# sh crypto ikev2 sa          
IKEv2 SAs:
Session-id:44876, Status:UP-IDLE, IKE count:1, CHILD count:0
Tunnel-id                 Local                Remote     Status         Role
851718313      <CiscoPubIP>/500     <AzurePubIP>/500      READY    RESPONDER
  Encr: AES-CBC, keysize: 256, Hash: SHA384, DH Grp:24, Auth sign: PSK, Auth verify: PSK
  Life/Active Time: 86400/32 sec

#debug crypto ikev2 protocol 127
....
IKEv2-PROTO-2: (554): Processing IKE_AUTH message
IKEv2-PROTO-1: (554): Failed to find a matching policy
IKEv2-PROTO-1: (554): Received Policies: 
ESP: Proposal 1:  AES-CBC-256 SHA96 Don't use ESN
IKEv2-PROTO-1: (554): Failed to find a matching policy
IKEv2-PROTO-1: (554): Expected Policies: 
IKEv2-PROTO-5: (554): Failed to verify the proposed policies
IKEv2-PROTO-1: (554): Failed to find a matching policy
....

Azure 配置

$IPSecpolicy    = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup24 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup PFS24 -SALifeTimeSeconds 28800 -SADataSizeKilobytes 102400000;

思科配置

access-list outside_access_in extended permit ip host <azurePubIP> host <CiscoPubIP>

crypto ipsec ikev2 ipsec-proposal AES-256
  protocol esp encryption aes-256
  protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto ipsec inner-routing-lookup

crypto dynamic-map default_map 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES AES-256
crypto map outside_map 65535 ipsec-isakmp dynamic default_map

crypto isakmp identity address 
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 28800
crypto ikev2 policy 2
 encryption aes-256
 integrity sha384
 group 24     
 prf sha384
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2    
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 50
 encryption aes-256
 integrity sha256
 group 2
 prf sha256 sha
 lifetime seconds 86400  

crypto ikev2 enable outside

tunnel-group <AzurePubIP> type ipsec-l2l
tunnel-group <AzurePubIP> ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
no tunnel-group-map enable peer-ip
1个回答

您缺少该隧道的相应加密映射语句。如果没有加密映射语句,您将无法形成阶段 2。动态隧道,就像您所询问的那样,仅适用于您的 IP 地址是动态的(而不是静态的),例如,如果您的 ISP 为您分配了一个通过 DHCP 获取 IP 地址,您的 ASA 将成为其上配置的所有隧道的发起方(它永远不会成为接收方),因为其 IP 地址不会永久为人所知。除非这是你的情况,否则你应该有类似的东西:

crypto map outside_map 1 match address <access list for interesting traffic>
crypto map outside_map 1 set pfs <DH group Azure says to use>
crypto map outside_map 1 set peer <azure peer IP>
crypto map outside_map 1 set ikev2 ipsec-proposal <proposal to use>
其它你可能感兴趣的问题
上一篇SVI 上的 DHCP 广播 下一篇配置 PPPoE 客户端/服务器