背景资料
我有一个 Cisco 2911 路由器和一个使用基于 IKEv2 的 IPSec 隧道连接的 Cisco ASAv。一旦有一些来自路由器的流量结束,隧道最初就会正常运行。路由器是移动的,因此它具有不断变化的外部地址并且始终是发起者。在 ASA 端,VPN 对等体因此未配置,使用动态加密映射。
IPSec 连接定义了两个 SA,左边的 IP 是路由器端,右边的 IP 是 ASA。
- 192.168.10.0/24 <=> xx.xx.66.0/24
- 192.168.10.0/24 <=> 192.168.255.0/24
192.168.10.0/24 是路由器后面的网络,而 xx.xx.66.0/24 是 ASA 后面的网络,192.168.255.0/24 是连接到 ASA 的 AnyConnect 客户端的 IP 池。
为了在路由器启动并在外部接口 (Gi 0/0) 上分配 IP 地址后立即启动隧道,路由器配置了一个 NTP 服务器,该服务器位于 xx.xx.66.0/24 网络中。这实际上工作正常,IKEv2 SA 启动并运行,第一个子 SA 也启动并运行。
问题陈述
但是,第二个 SA (192.168.10.0/24 <=> 192.168.255.0/24) 仅在我第一次从路由器端通过发送一些数据包(例如使用ping 192.168.255.10 sourve vlan 10 repeat 1,其中 .10 是完全随机的)启动 SA 时才有效。然后 SA 启动,我可以从 AnyConnect 池连接到路由器。然而,这不是这个概念的想法,因为应该建立隧道,以便通过 AnyConnect 连接到 ASA 的支持工程师可以访问路由器并排除任何问题。
查看来自 的调试输出debug crypto ikev2 protocol 50,debug crypto ikev2 platform 50并debug crypto ipsec 50没有显示 ASA 至少尝试构建隧道的任何提示。
配置
以下是两种配置的相关部分。如果您遗漏了什么,请告诉我。
Cisco 2911 路由器,运行 IOS 15.4(3)M3,带安全许可证
ip cef
license boot module c2900 technology-package securityk9
!
crypto ikev2 proposal default
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 keyring EzVPNKeys
peer MR-ASA
address 146.140.xx.xx
pre-shared-key local xxx1
pre-shared-key remote xxx2
!
crypto ikev2 profile MobileRacks
match identity remote address xx.xx.193.9 255.255.255.255
identity local key-id MobileRacks
authentication remote pre-share
authentication local pre-share
keyring local EzVPNKeys
!
crypto ipsec transform-set AES256-SHA-512 esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto map FlexVPN 10 ipsec-isakmp
set peer xx.xx.193.9
set transform-set AES256-SHA-512
set pfs group14
set ikev2-profile MobileRacks
match address FlexVPN
!
interface GigabitEthernet0/0
description outside
ip address dhcp
crypto map FlexVPN
!
interface Vlan10
description management
ip address 192.168.10.254 255.255.255.0
ip access-group VL10-MGMT-IN out
ip virtual-reassembly in
!
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list extended FlexVPN
permit ip 192.168.10.0 0.0.0.255 146.140.66.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 192.168.255.0 0.0.0.255
!
ntp source Vlan10
ntp server xx.xx.66.230
Cisco ASAv5,Runnint ASA 版本 9.6(1)
ip local pool AnyConnectPool 192.168.255.10-192.168.255.254 mask 255.255.255.0
! Is used for AnyConnect, not shown here
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address xx.xx.193.9 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address xx.xx.66.26 255.255.255.0
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
access-list outside_cryptomap_eventrack extended permit ip xx.xx.66.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list outside_cryptomap_eventrack extended permit ip 192.168.255.0 255.255.255.0 192.168.10.0 255.255.255.0
!
crypto ipsec ikev2 ipsec-proposal FhG-AES-IKEv2
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-256-SHA
crypto dynamic-map ConsoleServerConnectionProfile 10 match address outside_cryptomap_eventrack
crypto dynamic-map ConsoleServerConnectionProfile 10 set pfs group14
crypto dynamic-map ConsoleServerConnectionProfile 10 set ikev2 ipsec-proposal FhG-AES-IKEv2
crypto dynamic-map ConsoleServerConnectionProfile 10 set security-association lifetime seconds 3600
crypto dynamic-map ConsoleServerConnectionProfile 10 set reverse-route
crypto map MapOutside 1 ipsec-isakmp dynamic ConsoleServerConnectionProfile
crypto map MapOutside 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map MapOutside interface outside
!
crypto ikev2 policy 10
encryption aes-256
integrity sha512
group 14
prf sha512
lifetime seconds 86400
crypto ikev2 enable outside
!
group-policy IKEv2GroupPolicy internal
group-policy IKEv2GroupPolicy attributes
vpn-tunnel-protocol ikev2
!
tunnel-group MobileRacks type ipsec-l2l
tunnel-group MobileRacks general-attributes
default-group-policy IKEv2GroupPolicy
tunnel-group MobileRacks ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
附加输出
从 ASA 的角度来看,IP 是分配给路由器外部 IP 的 DHCP show ipsec sa peer xx.xx.xx.xx detail::
peer address: xx.xx.222.246
Crypto map tag: ConsoleServerConnectionProfile, seq num: 10, local addr: xx.xx.193.9
access-list outside_cryptomap_eventrack extended permit ip xx.xx.66.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (xx.xx.66.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: xx.xx.xx.xx
#pkts encaps: 16684, #pkts encrypt: 16684, #pkts digest: 16684
#pkts decaps: 16834, #pkts decrypt: 16834, #pkts verify: 16834
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16684, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: xx.xx.193.9/500, remote crypto endpt.: xx.xx.222.246/500
path mtu 1500, ipsec overhead 94(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 50D61913
current inbound spi : 1BA74E8D
inbound esp sas:
spi: 0x1BA74E8D (463949453)
transform: esp-aes-256 esp-sha-512-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
slot: 0, conn_id: 49152, crypto-map: ConsoleServerConnectionProfile
sa timing: remaining key lifetime (kB/sec): (4146528/1834)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x50D61913 (1356208403)
transform: esp-aes-256 esp-sha-512-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
slot: 0, conn_id: 49152, crypto-map: ConsoleServerConnectionProfile
sa timing: remaining key lifetime (kB/sec): (4192686/1834)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
从路由器的角度来看,show crypto ipsec sa detail:
interface: GigabitEthernet0/0
Crypto map tag: FlexVPN, local addr xx.xx.222.246
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (xx.xx.66.0/255.255.255.0/0/0)
current_peer xx.xx.193.9 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 18179, #pkts encrypt: 18179, #pkts digest: 18179
#pkts decaps: 18024, #pkts decrypt: 18024, #pkts verify: 18024
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: xx.xx.222.246, remote crypto endpt.: xx.xx.193.9
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x1BA74E8D(463949453)
PFS (Y/N): Y, DH group: group14
inbound esp sas:
spi: 0x50D61913(1356208403)
transform: esp-256-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 2015, flow_id: Onboard VPN:15, sibling_flags 80000040, crypto map: FlexVPN
sa timing: remaining key lifetime (k/sec): (4166728/1692)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1BA74E8D(463949453)
transform: esp-256-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 2016, flow_id: Onboard VPN:16, sibling_flags 80000040, crypto map: FlexVPN
sa timing: remaining key lifetime (k/sec): (4166663/1692)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.255.0/255.255.255.0/0/0)
current_peer xx.xx.193.9 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: xx.xx.222.246, remote crypto endpt.: xx.xx.193.9
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
有趣的是,路由器显示两个 SA,尽管其中一个已关闭,而 ASA 仅显示一次。
提出 SA
我可以从路由器调出 SA:
mobilerack1-rtr#ping 192.168.255.10 source vlan 10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.255.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.254
Jun 27 14:57:54.863: [ACL FlexVPN]: state = ACL notify RP action
Jun 27 14:57:55.163: IPSEC:(SESSION ID = 2) (STATES) SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 10 dynamic seqno 0
Jun 27 14:57:55.163: [ACL FlexVPN]: state = ACL KMI create SA for PtoP
Jun 27 14:57:55.163: [KMI Forward]: state = KMI Initializing
Jun 27 14:57:55.163: [KMI Forward]: state = change priority
Jun 27 14:57:55.163: [KMI Forward]: state = forward
Jun 27 14:57:55.163: [Ident 80000008]: state = Check. redundant request
Jun 27 14:57:55.163: [Ident 80000008]: state = Allocate Session
Jun 27 14:57:55.163: [Session]: state = Session Initialization
Jun 27 14:57:55.163: [Ident 80000008]: state = Insert Peer
Jun 27 14:57:55.163: [Ident 80000008]: state = Allocate Sibling
Jun 27 14:57:55.163: [Sibling]: state = Sibling Initialization
Jun 27 14:57:55.163: [Ident 80000008]: state = Create In/Outbound SAs
Jun 27 14:57:55.163: [Ident 80000008]: state = Ident Set Replay
Jun 27 14:57:55.163: [Ident 80000008]: state = Send SAs to sibling and install them
Jun 27 14:57:55.163: [Sibling]: state = Hook Session
Jun 27 14:57:55.167: [Session]: state = Add Sibling to Session List
Jun 27 14:57:55.167: [Sibling]: state = Fill Sibling with CE data
Jun 27 14:57:55.167: [Sibling 52EE23C6]: state = Hook SA Struct to Sibling
Jun 27 14:57:55.167: [Sibling 52EE23C6]: state = Install SPI
Jun 27 14:57:55.167: [Sibling 52EE23C6]: state = Del Transient SPI
Jun 27 14:57:55.167: [Ident 80000008]: state = Check. Outbound Enable Status
Jun 27 14:57:55.167: [Ident 80000008]: state = Got Enable Outbound SA
Jun 27 14:57:55.167: [Ident 80000008]: state = Select Outbound SA
Jun 27 14:57:55.167: [Ident 80000008]: state = Install New Outbound SA
Jun 27 14:57:55.167: [Ident 80000008]: state = Set flow_installed
Jun 27 14:57:55.167: IPSEC:(SESSION ID = 2) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open
Jun 27 14:57:55.167: [Ident 80000008]: state = Check Install SA Declare Success
Jun 27 14:57:55.167: [Ident 80000008]: state = Declare success
Jun 27 14:57:55.167: [KMI Forward]: state = success
Jun 27 14:57:55.167: [KMI Forward]: deleting state machine
Jun 27 14:57:55.167: [ACL FlexVPN]: state = ACL KMI check result ...