ASA与Mikrotik之间的IKEv2隧道
ASA与Mikrotik之间的IKEv2隧道
提问于 2020-04-07 18:34:19
试图从pfSense转移到Mikrotik的办公室路由器,唯一的绊脚石是维护一个站点间的IPSEC隧道,它和我们的思科ASA。这些设置在我看来都是正确的,隧道出现在两边(见下面的注意事项),但网络之间没有交通通道。
我能找到的唯一可疑之处是Cisco日志中的这条消息:
Apr 7 13:08:35 asa1.pofp.internal %ASA-4-750003: Local:9.8.7.6:500 Remote:2.3.4.5:500 Username:Unknown
IKEv2 Negotiation aborted due to ERROR: Failed to receive the AUTH msg before the timer expired这里不涉及NAT,这些设备之间也没有防火墙。
我犹豫不决,因为害怕混淆水,但隧道在我的测试中已经两次工作,使用同样的配置。成功似乎是随机发生的,同时手动拆除隧道的两个装置,可能与双方启动的时间有关?但是,在这两种情况下,隧道在P2超时后停止通过流量。
Mikrotik配置:
/ip ipsec profile
add dh-group=ecp521 dpd-interval=10s enc-algorithm=aes-256 hash-algorithm=sha512 name=asa-p1 nat-traversal=no
/ip ipsec peer
add address=9.8.7.6/32 exchange-mode=ike2 name=NOC port=500 profile=asa-p1 send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=8h name=asa-p2 pfs-group=ecp521
/ip ipsec identity
add peer=NOC secret="*****"
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.242.0/24 proposal=asa-p2 sa-dst-address=9.8.7.6 sa-src-address=0.0.0.0 src-address=192.168.243.0/24 tunnel=yes
/ip firewall nat
add chain=srcnat dst-address=192.168.242.0/24 src-address=192.168.243.0/24
add chain=srcnat dst-address=192.168.243.0/24 src-address=192.168.242.0/24
add action=masquerade chain=srcnat out-interface="WAN port"
/ip firewall filter
add action=accept chain=input comment="Allow established input traffic" connection-state=established,related
add action=accept chain=input comment=IPSEC dst-port=500 in-interface="WAN port" protocol=udp
add action=accept chain=input comment="IPSEC NAT-T" dst-port=4500 in-interface="WAN port" protocol=udp
add action=accept chain=input comment="IPSEC ESP" in-interface="WAN port" protocol=ipsec-esp
...Cisco配置
object network NOC-network
subnet 192.168.242.0 255.255.255.0
object network Calgary-network
subnet 192.168.243.0 255.255.255.0
crypto ipsec ikev2 ipsec-proposal AESGCM
protocol esp encryption aes-gcm-256
protocol esp integrity sha-512
crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec security-association pmtu-aging infinite
crypto ikev2 policy 2
encryption aes-gcm-256
integrity null
group 21 24
prf sha512
lifetime seconds 86400
crypto ikev2 policy 3
encryption aes-256
integrity sha512
group 21 24
prf sha512
lifetime seconds 86400
crypto ikev2 enable OUTSIDE
group-policy GroupPolicy_IKEv2 internal
group-policy GroupPolicy_IKEv2 attributes
vpn-tunnel-protocol ikev2
tunnel-group 2.3.4.5 type ipsec-l2l
tunnel-group 2.3.4.5 general-attributes
default-group-policy GroupPolicy_IKEv2
tunnel-group 2.3.4.5 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
access-list OUTSIDE_cryptomap_1 extended permit ip object NOC-network object Calgary-network
nat (INSIDE,OUTSIDE) source static NOC-network NOC-network destination static Calgary-network Calgary-network no-proxy-arp route-lookup
crypto map OUTSIDE_map 2 match address OUTSIDE_cryptomap_1
crypto map OUTSIDE_map 2 set pfs group21
crypto map OUTSIDE_map 2 set peer 2.3.4.5
crypto map OUTSIDE_map 2 set ikev2 ipsec-proposal AESGCM
crypto map OUTSIDE_map 2 set security-association lifetime kilobytes unlimited
crypto map OUTSIDE_map 2 set nat-t-disable
crypto map OUTSIDE_map interface OUTSIDE出于某种原因,ASA显示了两个双向隧道:
虽然Mikrotik只看到一个方向(与ASA不同,它将每个方向显示为一个单独的条目)。
> ip ipsec installed-sa print
Flags: H - hw-aead, A - AH, E - ESP
0 E spi=0x6FFE0E4 src-address=9.8.7.6 dst-address=2.3.4.5 state=mature enc-algorithm=aes-gcm enc-key-size=288
enc-key="2a217b491be5a5297a8a78759e940bc4677b59834630282a2a24baaf3198c6539cc435b0" add-lifetime=6h24m8s/8h10s replay=128
1 E spi=0xF315FE3C src-address=2.3.4.5 dst-address=9.8.7.6 state=mature enc-algorithm=aes-gcm enc-key-size=288
enc-key="405b00868a64c35521ccfa6feac97316d19220bb4b7b3346964ad0dd0415a54d3ccda8ca" add-lifetime=6h24m8s/8h10s replay=128 包追踪器输出:
CORP-ASA1# packet-tracer input INSIDE tcp 192.168.242.100 1234 192.168.243.100$
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 9.8.7.6 using egress ifc OUTSIDE
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static NOC-network NOC-network destination static Calgary-network Calgary-network no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.168.243.100/1234 to 192.168.243.100/1234
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit ip object-group DM_INLINE_NETWORK_4 any
object-group network DM_INLINE_NETWORK_4
network-object aaa:bbb:ccc:242::/64
network-object 192.168.242.0 255.255.255.0
Additional Information:
Phase: 5
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static NOC-network NOC-network destination static Calgary-network Calgary-network no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.242.100/1234 to 192.168.242.100/1234
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source static NOC-network NOC-network destination static Calgary-network Calgary-network no-proxy-arp route-lookup
Additional Information:
Phase: 13
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 15
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2426669873, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow回答 2
Network Engineering用户
回答已采纳
发布于 2020-06-04 16:50:18
在没有使用IKEv2之后,我回到了基础,尝试了一个IKEv1隧道。同样的事情发生了:双方都显示隧道向上,但ASA不返回任何加密字节。
所以,这并不是一个很好的答案,但所需要的只是重新启动ASA,这就开始完美地工作了。
Network Engineering用户
发布于 2020-05-04 13:04:21
查看Mikrotik配置,第2阶段SA定时器似乎是8小时,在ASA配置上没有设置特定的定时器。它的默认值可能是3600 s/1小时。请试着在任何一边匹配计时器。
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/67085
复制相关文章
相似问题
腾讯云开发者
