ASA5516 9.8(2) IKEv2(无 BGP)站点到站点与 Azure 的连接失败

网络工程 思科 思科 虚拟专用网 站点到站点
2021-07-18 19:17:11

我有一个 Azure 订阅,有一个虚拟网络,其中网关子网是 172.26.0.0/27,然后我有许多子网,例如 172.26.1.0/24、172.26.2.0/24、172.26.3.0/24、. ...

在路由器端,我为 172.26.0.0/27 和 172.26.1.0/24 配置了网络对象。

本地网络为 10.0.0.0/8。

这是我用来在路由器上设置站点到站点连接的配置:

object network HQ-LAN
subnet 10.0.0.0 255.0.0.0
description The HQ LAN
object network AzureLabNet-LAN
subnet 172.26.1.0 255.255.255.0
description The Azure AzureLabNet LAN range
object network AzureLabNet-Gateway
subnet 172.26.0.0 255.255.255.224
object-group network AzureLabNet-network
description Azure AzureLabNet Virtual Network
network-object object AzureLabNet-LAN
network-object object AzureLabNet-Gateway
object-group network HQ-network
description HQ on-premises Network
network-object object HQ-LAN

access-list azure-vpn-acl extended permit ip object-group HQ-network object-group AzureLabNet-network log notifications 
nat (LAN,INTERNET) source static HQ-network HQ-network destination static AzureLabNet-network AzureLabNet-network no-proxy-arp route-lookup

crypto ipsec ikev2 ipsec-proposal AZURE-TRANSFORM-2
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto ipsec inner-routing-lookup

crypto map CRYPTO-MAP 1 match address azure-vpn-acl
crypto map CRYPTO-MAP 1 set peer 40.a.b.c 
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal AZURE-TRANSFORM-2
crypto map CRYPTO-MAP 1 set ikev2 pre-shared-key ********
crypto map CRYPTO-MAP 1 set security-association lifetime seconds 3600
crypto map CRYPTO-MAP 1 set nat-t-disable
crypto map CRYPTO-MAP interface INTERNET

crypto ca trustpool policy

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800

crypto ikev2 enable INTERNET

group-policy AzureGroupPolicy internal
group-policy AzureGroupPolicy attributes
vpn-tunnel-protocol ikev2

dynamic-access-policy-record DfltAccessPolicy
tunnel-group 40.a.b.c type ipsec-l2l
tunnel-group 40.a.b.c general-attributes
default-group-policy AzureGroupPolicy
tunnel-group 40.a.b.c ipsec-attributes
ikev2 remote-authentication pre-shared-key ********
ikev2 local-authentication pre-shared-key ********
no tunnel-group-map enable peer-ip
tunnel-group-map default-group 40.a.b.c

sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows

连接似乎达到了建立 IKEv2 隧道的程度,但随后隧道被拒绝并出现以下错误:

751022                  Local:80.x.y.w:500 Remote:40.a.b.c:500 Username:40.a.b.c IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 0.0.0.0/255.255.255.255/0/65535/0 local traffic selector 0.0.0.0/255.255.255.255/0/65535/0!

在调试中,我发现:

IKEv2-PROTO-2: (404): Processing IKE_AUTH message
IKEv2-PLAT-2: (404): Crypto Map: No proxy match on map CRYPTO-MAP seq 1
IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404): Received Policies:
ESP: Proposal 1: AES-GCM-256 Don't use ESN

ESP: Proposal 2: AES-CBC-256 SHA96 Don't use ESN

ESP: Proposal 3: 3DES SHA96 Don't use ESN

ESP: Proposal 4: AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 5: AES-CBC-128 SHA96 Don't use ESN

ESP: Proposal 6: 3DES SHA256 Don't use ESN

IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404): Expected Policies:
IKEv2-PROTO-5: (404): Failed to verify the proposed policies
IKEv2-PROTO-1: (404): Failed to find a matching policy
IKEv2-PROTO-1: (404):

并且:

IKEv2-PROTO-5: (237): SM Trace-> SA: I_SPI=8D624530AA96162A R_SPI=4A613765BD92DF8F (I) MsgID = 00000004 CurState: DELETE Event: EV_FREE_SA
IKEv2-PROTO-2: (237): Deleting SA
IKEv2-PROTO-1: session is not there in tree
IKEv2-PLAT-2:
CONNECTION STATUS: DOWN... peer: 40.a.b.c:500, phase1_id: 40.a.b.c
IKEv2-PLAT-2: (237): IKEv2 session deregistered from session manager. Reason: 6
IKEv2-PLAT-2: (237): session manager killed ikev2 tunnel. Reason: IKE Delete
IKEv2-PLAT-2: (237): PSH cleanup
IKEv2-PLAT-5: Active ike sa request deleted
IKEv2-PLAT-5: Decrement count for incoming active
IKEv2-PLAT-2: (404): Encrypt success status returned via ipc 1
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xAA15ED6E error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xFBC930C6 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xDA2A46C2 error FALSE
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x2EDA754D error FALSE

更新

关于Azure端:虚拟网络上的地址空间为172.26.0.0/16,网关子网为172.26.0.0/27,子网为172.26.1.0/24、172.26.2.0/24、172.26.3.0/24 , 172.26.4.0/24, 172.26.5.0/24, 172.26.6.0/24, 172.26.7.0/24, 172.26.8.0/24, 172.26.9.0/24, .1202.12.124/172.26.12.17 目前,我在 172.26.1.0/24 上只有一个 VM,我用它来测试 VPN(以及分布在其他子网中的大量 VM)。

关于如何修复此站点到站点连接的任何建议?

1个回答

我找到了一个解决方案: 

gateway# show crypto isa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:*****, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
********** 80.x.w.y/500                                   40.a.b.c/500                                         READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/3135 sec
Child sa: local selector  10.0.0.0/0 - 10.255.255.255/65535
          remote selector 172.26.1.0/0 - 172.26.1.255/65535
          ESP spi in/out: 0x********/0x********

阅读“关于 VPN 设备和站点到站点 VPN 网关连接的 IPsec/IKE 参数”页面中 Microsoft 验证的 VPN 设备列表和设备配置指南,在 Cisco ASA 行,IKEv2 旁边,我注意到一个星号,并且在我阅读的列表下方

Cisco ASA 8.4+ 版本添加了 IKEv2 支持,可以使用带有“UsePolicyBasedTrafficSelectors”选项的自定义 IPsec/IKE 策略连接到 Azure VPN 网关。请参阅此操作方法文章

我从中了解到,我必须设置 UsePolicyBasedTrafficSelectors 属性,因此创建自定义 IKE/IPSEC 策略,我在 Azure Cloud shell 上使用以下代码执行此操作:

$RG          = "MyRG"
$ConnectionName = "STS-Azure-HQ"

$connection  = Get-AzureRmVirtualNetworkGatewayConnection -Name $ConnectionName -ResourceGroupName $RG

$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA256 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA256 -PfsGroup PFS2 -SALifeTimeSeconds 3600 -SADataSizeKilobytes 2048

Set-AzureRmVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy

然后我重新配置了 ASA 路由器以匹配 IKE/IPSEC 策略:

configure terminal
crypto ipsec ikev2 ipsec-proposal AZURE-TRANSFORM-2
 protocol esp encryption aes-256
 protocol esp integrity sha-256
 exit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha256
 group 2
 prf sha256 sha
 lifetime seconds 28800
 exit

PRF SHA256 SHA是我改变了最后一点,我认为它可能也行只是SHA256,但我还没有尝试过。

在此之前,我还在我的 ASA 流量选择器中添加了所有 12 个 Azure 子网,这可能也有帮助。

object network AzureLabNet-Gateway
 subnet 172.26.0.0 255.255.224.0
 description The Azure Gateway range
 exit
object network AzureLabNet-LAN-1
 subnet 172.26.1.0 255.255.255.0
 description The Azure AzureLabNet LAN #1 range
 exit
object network AzureLabNet-LAN-2
 subnet 172.26.2.0 255.255.255.0
 description The Azure AzureLabNet LAN #2 range
 exit
object network AzureLabNet-LAN-3
 subnet 172.26.3.0 255.255.255.0
 description The Azure AzureLabNet LAN #3 range
 exit
object network AzureLabNet-LAN-4
 subnet 172.26.4.0 255.255.255.0
 description The Azure AzureLabNet LAN #4 range
 exit
object network AzureLabNet-LAN-5
 subnet 172.26.5.0 255.255.255.0
 description The Azure AzureLabNet LAN #5 range
 exit
object network AzureLabNet-LAN-6
 subnet 172.26.6.0 255.255.255.0
 description The Azure AzureLabNet LAN #6 range
 exit
object network AzureLabNet-LAN-7
 subnet 172.26.7.0 255.255.255.0
 description The Azure AzureLabNet LAN #7 range
 exit
object network AzureLabNet-LAN-8
 subnet 172.26.8.0 255.255.255.0
 description The Azure AzureLabNet LAN #8 range
 exit
object network AzureLabNet-LAN-9
 subnet 172.26.9.0 255.255.255.0
 description The Azure AzureLabNet LAN #9 range
 exit
object network AzureLabNet-LAN-10
 subnet 172.26.10.0 255.255.255.0
 description The Azure AzureLabNet LAN #10 range
 exit
object network AzureLabNet-LAN-11
 subnet 172.26.11.0 255.255.255.0
 description The Azure AzureLabNet LAN #11 range
 exit
object-group network AzureLabNet-network
 description Azure AzureLabNet Virtual Network
 network-object object AzureLabNet-LAN-1
 network-object object AzureLabNet-LAN-2
 network-object object AzureLabNet-LAN-3
 network-object object AzureLabNet-LAN-4
 network-object object AzureLabNet-LAN-5
 network-object object AzureLabNet-LAN-6
 network-object object AzureLabNet-LAN-7
 network-object object AzureLabNet-LAN-8
 network-object object AzureLabNet-LAN-9
 network-object object AzureLabNet-LAN-10
 network-object object AzureLabNet-LAN-11
 network-object object AzureLabNet-Gateway
exit
其它你可能感兴趣的问题
上一篇Cisco ASA5516 9.8(2) IKEv2 协商由于不受支持的故障切换版本而中止 下一篇802.1x 并使用 Google G Suite 目录作为 LDAP