服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Cisco ASA和Ubuntu之间使用strongswan的VPN隧道
Intereting Posts
没有CRL的根CA的含义 转发电子邮件给用户 在ADFS中使用SSL 移动设备模拟器访问IIS网站 是否通过UNCpath访问本地共享文件的stream量仍然通过交换机? 强制停止新贵的工作 csf防火墙拒绝 了解从源代码构build之后创build/安装的文件 我怎么可以在Unix中扫描文件? 后缀:获取真正的前转地址 通过相同的端口Stunnel多个端口 PHP的处理程序添加到网站,甚至只能通过AppCmd文件夹 通过端口号密码保护并提供Apache站点? pipe理员可能不具有某个驱动器的读/写权限吗? 从FTP服务器streamtar.gz文件

Cisco ASA和Ubuntu之间使用strongswan的VPN隧道

我试图build立X(左)和Y(右)之间的VPN隧道。

A.情况

X = 34.XXX(Ubuntu 16.04 with strongswan)Y = 198.YYY(Cisco ASA)

通过查看来自X的日志,预共享密钥被成功validation,并且第一阶段IKE_SA被build立。 然后IKEv2进入第二阶段,但由于NO_PROPOSAL_CHOSEN,CHILD_SA(IPSec SA)失败。 在从Y的日志中,它说组IKEv2未启用(?)

B.问题

这是否意味着IKEv2在X或Y上未启用? 在X中的ipsec.conf有一个行keyexchange:ikev2所以它不能是X …对吗? NO_PROPOSAL_CHOSEN看起来像X和Y之间的encryption方法不匹配…或者只是IKEv2没有启用?

C. X-side IPSec日志: 

initiating IKE_SA buysignal-ice[4] to 198.YYY generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] sending packet: from 172.30.1.8[500] to 198.YYY[500] (952 bytes) received packet: from 198.YYY[500] to 172.30.1.8[500] (453 bytes) parsed IKE_SA_INIT response 0 [ SA KE No VVVN(NATD_S_IP) N(NATD_D_IP) V ] received Cisco Delete Reason vendor ID received Cisco Copyright (c) 2009 vendor ID received unknown vendor ID: 43:49:53:43:4f:2d:47:52:45:2d:4d:4f:44:45:02 received FRAGMENTATION vendor ID local host is behind NAT, sending keep alives authentication of '34.XXX' (myself) with pre-shared key establishing CHILD_SA buysignal-ice generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ] sending packet: from 172.30.1.8[4500] to 198.YYY[4500] (316 bytes) received packet: from 198.YYY[4500] to 172.30.1.8[4500] (124 bytes) parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ] authentication of '198.YYY' with pre-shared key successful IKE_SA buysignal-ice[4] established between 172.30.1.8[34.XXX]...198.YYY[198.YYY] scheduling reauthentication in 27814s maximum IKE_SA lifetime 28354s received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built failed to establish CHILD_SA, keeping IKE_SA establishing connection 'buysignal-ice' failed

D. Y-side思科ASA日志 

 Jul 12 08:23:56 192.168.30.1 Jul 12 2017 04:21:39 k-bxb-vpn1us : %ASA-6-113009: AAA retrieved default group policy (l2lgrouppolicy) for user = 34.XXX Jul 12 08:23:56 192.168.30.1 Jul 12 2017 04:21:39 k-bxb-vpn1us : %ASA-3-751008: Local:198.YYY:4500 Remote:34.XXX:4500 Username:34.XXX IKEv2 Group=34.XXX, Tunnel rejected: IKEv2 not enabled in group policy Jul 12 08:23:56 192.168.30.1 Jul 12 2017 04:21:39 k-bxb-vpn1us : %ASA-5-750007: Local:198.YYY:4500 Remote:34.XXX:4500 Username:34.XXX IKEv2 SA DOWN. Reason: local failure