ASA 到非 ASA 站点到站点 VPN - 隧道不通电

网络工程 思科 思科 网络安全
2021-07-15 23:57:17

我在两个位置(非 ASA 发起方、ASA 响应方)之间建立了一个站点到站点隧道。隧道会出现,但不会停留。我 95% 确定我的加密映射有问题,但我不知所措。发起者的配置大多是硬编码的。

对于我在下面发布的内容,2.2.2.2 是发起者的虚拟地址。见“图”。

192.168.54.0/23 - 1.1.1.1 ------------ 2.2.2.2 - 10.24.16.0/28

这是配置中更有趣的部分。 

crypto ipsec security-association replay disable
crypto ipsec security-association pmtu-aging infinite
crypto map Internet_map 1 match address Internet_cryptomap_14
crypto map Internet_map 1 set pfs group5
crypto map Internet_map 1 set peer 2.2.2.2
crypto map Internet_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Internet_map interface Internet
crypto ca trustpool policy
crypto ikev1 enable Internet
crypto ikev1 policy 30
 authentication pre-share

no arp permit-nonconnected
nat (Internet,Lab) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static interface JUMPHOST service RDP-to-JH RDP-real description RDP to Terminal Server
nat (any,Lab) source static local-network local-network destination static LABTS LABTS service HTTPS HTTPS net-to-net
nat (Lab,Internet) source dynamic any interface description Lab computers share firewall's Internet address.
nat (Lab,Internet) source static any any destination static NETWORK_OBJ_192.168.56.0_24 NETWORK_OBJ_192.168.56.0_24
nat (Lab,Internet) source static local-network local-network destination static remote-network remote-network no-proxy-arp route-lookup


access-list Lab_access_in extended permit ip object local-network object remote-network 
access-list Internet_cryptomap extended permit ip any4 object remote-network 
access-list Internet_cryptomap_1 extended permit ip any4 object remote-network 
access-list Internet_cryptomap_2 extended permit ip object local-network object remote-network 
access-list Internet_cryptomap_3 extended permit ip object local-network object remote-network 
access-list Internet_cryptomap_4 extended permit ip object local-network object remote-network 
access-list Internet_cryptomap_5 extended permit ip any4 any4 
access-list Internet_cryptomap_65535.65535 extended permit ip object IP-for-RDP-PAT any4 
access-list Internet_cryptomap_6 extended permit ip any4 object remote-network 
access-list Internet_cryptomap_7 extended permit ip object local-network object remote-network 
access-list Internet_cryptomap_65535.65535_1 extended permit ip any4 any4 inactive 
access-list Lab_cryptomap_65535.65535 extended permit ip any4 any4 inactive 
access-list Internet_cryptomap_9 extended permit ip object local-network object remote-network 
access-list Internet_cryptomap_8 extended permit ip object local-network any4 
access-list Internet_cryptomap_10 extended permit ip any4 object remote-network 
access-list Internet_cryptomap_11 extended permit ip object local-network object remote-network 
access-list Lab_cryptomap_1 extended permit ip object remote-network object local-network 
access-list Internet_cryptomap_12 extended permit ip any any 
access-list Internet_cryptomap_13 extended permit ip object local-network object remote-network 
access-list Internet_cryptomap_14 extended permit ip object local-network object remote-network

我不确定任何人都想看到什么调试。喊一声,我就贴出来。谢谢大家的帮助。

LSC

更新:这是“调试加密 isakmp 127”的输出。

Nov 24 08:41:54 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 204
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing SA payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, Oakley proposal is acceptable
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing VID payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing VID payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, Received xauth V6 VID
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing VID payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, Received DPD VID
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing IKE SA payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, IKE SA Proposal # 1, Transform # 0 acceptable  Matches global IKE entry # 4
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, constructing ISAKMP SA payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, constructing Fragmentation VID + extended capabilities payload
Nov 24 08:41:54 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108
Nov 24 08:41:54 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 244
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing ke payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing ISA_KE payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, processing nonce payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, constructing ke payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, constructing nonce payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, constructing Cisco Unity VID payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, constructing xauth V6 VID payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, Send IOS VID
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, constructing VID payload
Nov 24 08:41:54 [IKEv1 DEBUG]IP = 2.2.2.2, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Nov 24 08:41:54 [IKEv1]IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
Nov 24 08:41:54 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Generating keys for Responder...
Nov 24 08:41:54 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 320
Nov 24 08:41:55 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 64
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
Nov 24 08:41:55 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
2.2.2.2
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
Nov 24 08:41:55 [IKEv1]IP = 2.2.2.2, Connection landed on tunnel_group 2.2.2.2
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing ID payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing hash payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Computing hash for ISAKMP
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing dpd vid payload
Nov 24 08:41:55 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 84
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED
Nov 24 08:41:55 [IKEv1]IP = 2.2.2.2, Keep-alive type for this connection: DPD
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Starting P1 rekey timer: 8100 seconds.
Nov 24 08:41:55 [IKEv1 DECODE]IP = 2.2.2.2, IKE Responder starting QM: msg id = 91e61bae
Nov 24 08:41:55 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=91e61bae) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 416
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing SA payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing nonce payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ke payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ISA_KE for PFS in phase 2
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
Nov 24 08:41:55 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR_SUBNET ID received--10.24.16.0--255.255.255.240
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Received remote IP Proxy Subnet data in ID Payload:   Address 10.24.16.0, Mask 255.255.255.240, Protocol 0, Port 0
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
Nov 24 08:41:55 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR_SUBNET ID received--192.168.54.0--255.255.254.0
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Received local IP Proxy Subnet data in ID Payload:   Address 192.168.54.0, Mask 255.255.254.0, Protocol 0, Port 0
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, QM IsRekeyed old sa not found by addr
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Static Crypto Map check, checking map = Internet_map, seq = 1...
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Static Crypto Map check, map Internet_map, seq = 1 is a successful match
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, IKE Remote Peer configured for crypto map: Internet_map
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing IPSec SA payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, IPSec SA Proposal # 0, Transform # 1 acceptable  Matches global IPSec SA entry # 1
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, IKE: requesting SPI!
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, IKE got SPI from key engine: SPI = 0x59d8f571
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, oakley constucting quick mode
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing IPSec SA payload
Nov 24 08:41:55 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Overriding Initiator's IPSec rekeying duration from 0 to 4608000 Kbs
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing IPSec nonce payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing pfs ke payload
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing proxy ID
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Transmitting Proxy Id:
  Remote subnet: 10.24.16.0  Mask 255.255.255.240 Protocol 0  Port 0
  Local subnet:  192.168.54.0  mask 255.255.254.0 Protocol 0  Port 0
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Sending RESPONDER LIFETIME notification to Initiator
Nov 24 08:41:55 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
Nov 24 08:41:55 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, IKE Responder sending 2nd QM pkt: msg id = 91e61bae
Nov 24 08:41:55 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=91e61bae) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 388
Nov 24 08:41:56 [IKEv1 DECODE]IP = 2.2.2.2, IKE Responder starting QM: msg id = 279cbbd1
Nov 24 08:41:56 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=279cbbd1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 408
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing SA payload
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing nonce payload
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ke payload
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ISA_KE for PFS in phase 2
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
Nov 24 08:41:56 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
2.2.2.2
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Received remote Proxy Host data in ID Payload:  Address 2.2.2.2, Protocol 0, Port 0
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
Nov 24 08:41:56 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
1.1.1.1
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Received local Proxy Host data in ID Payload:  Address 1.1.1.1, Protocol 0, Port 0
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, QM IsRekeyed old sa not found by addr
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Static Crypto Map check, checking map = Internet_map, seq = 1...
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Static Crypto Map check, map = Internet_map, seq = 1, ACL does not match proxy IDs src:2.2.2.2 dst:1.1.1.1
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 2.2.2.2/255.255.255.255/0/0 local proxy 1.1.1.1/255.255.255.255/0/0 on interface Internet
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, sending notify message
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
Nov 24 08:41:56 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=61889da) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 464
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, QM FSM error (P2 struct &0x00007fffa2f8dfe0, mess id 0x279cbbd1)!
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, IKE QM Responder FSM error history (struct &0x00007fffa2f8dfe0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, sending delete/delete with reason message
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from correlator table failed, no match!
Nov 24 08:41:56 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=91e61bae) with payloads : HDR + HASH (8) + NONE (0) total length : 52
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, loading all IPSEC SAs
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Generating Quick Mode Key!
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, NP encrypt rule look up for crypto map Internet_map 1 matching ACL Internet_cryptomap_14: returned cs_id=a204c060; encrypt_rule=a2116350; tunnelFlow_rule=a2116a10
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Generating Quick Mode Key!
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, NP encrypt rule look up for crypto map Internet_map 1 matching ACL Internet_cryptomap_14: returned cs_id=a204c060; encrypt_rule=a2116350; tunnelFlow_rule=a2116a10
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Security negotiation complete for LAN-to-LAN Group (2.2.2.2)  Responder, Inbound SPI = 0x59d8f571, Outbound SPI = 0xcce2fd3a
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, IKE got a KEY_ADD msg for SA: SPI = 0xcce2fd3a
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Pitcher: received KEY_UPDATE, spi 0x59d8f571
Nov 24 08:41:56 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Starting P2 rekey timer: 3418 seconds.
Nov 24 08:41:56 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, PHASE 2 COMPLETED (msgid=91e61bae)
Nov 24 08:42:06 [IKEv1 DECODE]IP = 2.2.2.2, IKE Responder starting QM: msg id = 279cbbd1
Nov 24 08:42:06 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=279cbbd1) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 408
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing SA payload
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing nonce payload
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ke payload
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ISA_KE for PFS in phase 2
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
Nov 24 08:42:06 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
2.2.2.2
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Received remote Proxy Host data in ID Payload:  Address 2.2.2.2, Protocol 0, Port 0
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing ID payload
Nov 24 08:42:06 [IKEv1 DECODE]Group = 2.2.2.2, IP = 2.2.2.2, ID_IPV4_ADDR ID received
1.1.1.1
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Received local Proxy Host data in ID Payload:  Address 1.1.1.1, Protocol 0, Port 0
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, QM IsRekeyed old sa not found by addr
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Static Crypto Map check, checking map = Internet_map, seq = 1...
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Static Crypto Map check, map = Internet_map, seq = 1, ACL does not match proxy IDs src:2.2.2.2 dst:1.1.1.1
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 2.2.2.2/255.255.255.255/0/0 local proxy 1.1.1.1/255.255.255.255/0/0 on interface Internet
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, sending notify message
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
Nov 24 08:42:06 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=6516a9f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 464
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, QM FSM error (P2 struct &0x00007fffa2f8dfe0, mess id 0x279cbbd1)!
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, IKE QM Responder FSM error history (struct &0x00007fffa2f8dfe0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Nov 24 08:42:06 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, sending delete/delete with reason message
Nov 24 08:42:06 [IKEv1]Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from correlator table failed, no match!
Nov 24 08:42:10 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Sending keep-alive of type DPD R-U-THERE (seq number 0x5439854b)
Nov 24 08:42:10 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing blank hash payload
Nov 24 08:42:10 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, constructing qm hash payload
Nov 24 08:42:10 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=290294a3) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Nov 24 08:42:10 [IKEv1]IP = 2.2.2.2, IKE_DECODE RECEIVED Message (msgid=de876da5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Nov 24 08:42:10 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing hash payload
Nov 24 08:42:10 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, processing notify payload
Nov 24 08:42:10 [IKEv1 DEBUG]Group = 2.2.2.2, IP = 2.2.2.2, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x5439854b)

值得一提的是,这是我来自 ASDM 的 Crypto Map 窗口。

对象组:

object network local-network 
object network remote-network
object-group network DM_INLINE_NETWORK_1
     network-object object ABC-Corp
     network-object object Lab-Offsite
    object-group network DM_INLINE_NETWORK_2
     network-object object ABC-Corp
     network-object object Lab-Offsite
    object-group service DM_INLINE_TCP_1 tcp
     port-object eq 26291
     port-object eq 3389
     port-object eq ftp
    object-group network DM_INLINE_NETWORK_3
     network-object object ABC-Corp
     network-object object Lab-Offsite
    object-group network DM_INLINE_NETWORK_4
     network-object object ABC-Corp
     network-object object Lab-Offsite

ASDM 加密映射

1个回答

所以看起来这里发生了很多事情。一方面,远程设备是 VPN 发起者,显然它不喜欢接收响应者数据包。我将 ASA 配置文件从“双向”切换为“仅应答”。这清除了上面显示的大部分错误,但流量仍然无法通过。

结果我的隧道 NAT 位于列表的底部,因此流量被另一个 NAT 接收。这是链接给我的提示。只需将它移到顶部,一切都很好。

感谢大家的帮助。

其它你可能感兴趣的问题
上一篇为什么配置网卡时需要配置switch(2950)端口? 下一篇RSSI 与可用带宽、蜂窝环境