服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 思科ASA在istself和CentOS服务器之间丢弃IPsec VPN
Intereting Posts
启动Rails服务器时出现语法错误,RVM可能是问题? 将rpm命令转换为dpkg FreeBSD:如何扩展encryption的ZFS zroot池 Munin磁盘延迟警报 从Linuxnetworkingconfiguration迁移 在多个VDI上安装打印机驱动器 Windows Server 2012网卡组合与MPIO 如果我手动更改/etc/ldap/slapd.d/cn=config.ldif是否有任何不好的事情发生? FreeNAS:“swap_pager:I / O错误 – 页面失败” 当主机端口!=容器端口时,Nginx会在docker机器上重写 您能否从EMC命令行设置CIFS权限? 便携式电脑的物理安全 – 肯辛顿锁的替代品? 第三方接受会议后,与会者缺席组织者 为什么我的CentOS 5生产服务器重启? 黑名单阻止DNS查找?

思科ASA在istself和CentOS服务器之间丢弃IPsec VPN

目前我们正在尝试在Cisco ASA V8.0(4)和CentOS Linux服务器之间build立一个IPsec VPN。

隧道成功,但由于某种原因,我们无法弄清楚,防火墙正在丢弃来自VPN的数据包。

ASA中的IPsec设置如下: 

crypto ipsec transform-set up-transform-set esp-3des esp-md5-hmac crypto ipsec transform-set up-transform-set2 esp-3des esp-sha-hmac crypto ipsec transform-set up-transform-set3 esp-aes esp-md5-hmac crypto ipsec transform-set up-transform-set4 esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map linuxserver 10 match address filtro-encrypt-linuxserver crypto map linuxserver 10 set peer linuxserver crypto map linuxserver 10 set transform-set up-transform-set2 up-transform-set3 up-transform-set4 crypto map linuxserver 10 set security-association lifetime seconds 28800 crypto map linuxserver 10 set security-association lifetime kilobytes 4608000 crypto map linuxserver interface outside crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 2 lifetime 28800 crypto isakmp policy 2 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 3 authentication pre-share encryption aes-256 hash md5 group 2 lifetime 86400 crypto isakmp policy 4 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 crypto isakmp policy 5 authentication pre-share encryption aes-192 hash md5 group 2 group-policy linuxserverip internal group-policy linuxserverip attributes vpn-filter value filtro-linuxserverip tunnel-group linuxserverip type ipsec-l2l tunnel-group linuxserverip general-attributes default-group-policy linuxserverip tunnel-group linuxserverip ipsec-attributes pre-shared-key *

有谁知道问题在哪里以及如何解决?

你可以在你的ASA上显示你的NAT和相关的访问列表吗?

例如:

access-list nat0 extended permit ip 192.168.105.0 255.255.255.0 192.168.1.0 255.255.255.0 nat(inside)0 access-list nat0

从我的ASAconfiguration中,这是例外,以显示2个VPN,以及No-Nat访问列表和实际VPN访问列表之间的区别。 基本上,你的no-nat访问列表是你的VPN访问列表的摘要: 

 ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.4.1 255.255.255.0 ! access-list nat0 extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list nat0 extended permit ip 192.168.4.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list nat0 extended permit ip 192.168.4.0 255.255.255.0 10.10.0.0 255.255.0.0 access-list nat0 extended permit ip 192.168.4.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list TONJ extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list TONJ extended permit ip 192.168.4.0 255.255.255.0 192.168.100.0 255.255.255.0 access-list TONJ extended permit ip 192.168.4.0 255.255.255.0 10.10.0.0 255.255.0.0 access-list TOCHICAGO extended permit ip 192.168.4.0 255.255.255.0 192.168.7.0 255.255.255.0 ! global (outside) 1 interface nat (inside) 0 access-list nat0 nat (inside) 1 192.168.4.0 255.255.255.0 ! crypto map 2GRMLA 28 match address TONJ crypto map 2GRMLA 28 set peer xxx.xxx.xxx.xxx crypto map 2GRMLA 28 set transform-set moishes crypto map 2GRMLA 71 match address TOCHICAGO crypto map 2GRMLA 71 set peer ***.***.***.*** crypto map 2GRMLA 71 set transform-set 3DES