从 Cisco ASA 5506 到 Azure“RouteBased”VPN 的 IKEv2 站点到站点

网络工程 思科 虚拟专用网 艾克
2021-07-31 11:06:49

我在设置 IKEv2 站点到 Azure 云站点时遇到了一点问题。我正在使用文档中的 IPSec permaeters

Phase1 已建立,但我无法弄清楚 Phase2,这是加密配置:

配置

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set azure-ipsec-proposal-set esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal azure-ikev2-ipsec-proposal-set
 protocol esp encryption aes-gcm-256
 protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 10 match address vpn-traffic-ikev2
crypto map outside_map 10 set peer 1.1.1.1
crypto map outside_map 10 set ikev2 ipsec-proposal azure-ikev2-ipsec-proposal-set
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 5
 encryption aes-256 3des
 integrity sha256 sha
 group 2
 prf sha
 lifetime seconds 10800
crypto ikev2 enable outside
crypto ikev2 enable Comcast

调试

它很长,所以我只会粘贴问题所在:

IKEv2-PROTO-2: (34): Processing IKE_AUTH message
IKEv2-PROTO-1: (34): Failed to find a matching policy
IKEv2-PROTO-1: (34): Received Policies:
ESP: Proposal 1:  AES-GCM-256 Don't use ESN

ESP: Proposal 2:  AES-CBC-256 SHA96 Don't use ESN

ESP: Proposal 3:  AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 4:  AES-CBC-128 SHA96 Don't use ESN

ESP: Proposal 5:  3DES SHA96 Don't use ESN

ESP: Proposal 6:  3DES SHA256 Don't use ESN

ESP: Proposal 7:  DES SHA96 Don't use ESN

ESP: Proposal 8:  AES-CBC-256 SHA96 Don't use ESN

ESP: Proposal 9:  AES-CBC-256 SHA96 Don't use ESN

ESP: Proposal 10:  AES-CBC-256 SHA96 Don't use ESN

ESP: Proposal 11:  AES-CBC-128 SHA96 Don't use ESN

ESP: Proposal 12:  AES-CBC-128 SHA96 Don't use ESN

ESP: Proposal 13:  AES-CBC-128 SHA96 Don't use ESN

ESP: Proposal 14:  3DES SHA96 Don't use ESN

ESP: Proposal 15:  3DES SHA96 Don't use ESN

ESP: Proposal 16:  3DES SHA256 Don't use ESN

ESP: Proposal 17:  AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 18:  AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 19:  AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 20:  AES-CBC-256 SHA96 Don't use ESN

ESP: Proposal 21:  AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 22:  AES-CBC-128 SHA256 Don't use ESN

ESP: Proposal 23:  AES-CBC-128 SHA256 Don't use ESN

ESP: Proposal 24:  AES-CBC-128 SHA256 Don't use ESN

ESP: Proposal 25:  AES-CBC-128 SHA256 Don't use ESN

ESP: Proposal 26:  3DES SHA96 Don't use ESN

IKEv2-PROTO-1: (34): Failed to find a matching policy
IKEv2-PROTO-1: (34): Expected Policies:
IKEv2-PROTO-5: (34): Failed to verify the proposed policies
IKEv2-PROTO-1: (34): Failed to find a matching policy

因此,从调试来看,很明显我在 Phase2 协商过程中将策略搞砸了,但根据调试建议 1 应该是 AES-GCM-256,这是我配置的。

一期隧道

IKEv2 SAs:
Session-id:44, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id     Local                Remote     Status         Role
980175485     2.2.2.2/500     1.1.1.1/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 10800/26 sec
3个回答

Azure 基于路由的 VPN 实际上支持 Cisco ASA,但您必须在 Azure 网关上配置基于策略的流量选择器。

Azure 云“基于路由”的 VPN 不支持 Cisco ASA,我在 Azure 端将隧道类型切换为“基于策略”,将 ASA 上的配置修改为使用 IKEv1,隧道立即弹出。

只需添加以下行,它就会起作用。

crypto map outside_map 10 set pfs group24

我相信 ASA 的 VPN 配置是使用 Azure 的下载配置脚本创建的。它不会在配置中添加以下行,因此存在问题。

https://docs.microsoft.com/sl-si/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asa

希望有帮助。

谢谢,阿布斯

其它你可能感兴趣的问题
上一篇具有两个 ISP 的 Web 服务器地址 下一篇什么是 Avaya 命令来查明一个端口已经关闭了多长时间?