Openswan Cisco ASA 9.1 – 不能重新发送到IPsec SA请求，因为没有连接是已知的

好的，所以我有一个简单的VPN IPSEC设置，使用一个具有公共IP地址和172.16.255.1的回送接口的Linux主机。在右侧，我有一个Cisco ASA 5505 9.1。问题是Cisco ASA在debugging“PHASE 2 Completed”时说，所以我知道与我的ISKMP协商没有冲突。但是，我收到以下这应该表示networkingACL不匹配，但我无法弄清楚。

Apr 09 14:30:26 [IKEv1 DEBUG]Group = xx137.133, IP = xx137.133, IKE got a KEY_ADD msg for SA: SPI = 0x61af9f82 Apr 09 14:30:26 [IKEv1 DEBUG]Group = xx137.133, IP = xx137.133, Pitcher: received KEY_UPDATE, spi 0x95cad3f0 Apr 09 14:30:26 [IKEv1 DEBUG]Group = xx137.133, IP = xx137.133, Starting P2 rekey timer: 27360 seconds. Apr 09 14:30:26 [IKEv1]Group = xx137.133, IP = xx137.133, PHASE 2 COMPLETED (msgid=0504e77c) Apr 09 14:23:29 [IKEv1]Group = xx137.133, IP = xx137.133, Received non-routine Notify message: Invalid ID info (18)

在运行OpenSwan的Linux机器上，我看到：

 "L2L-IPSEC-CT" #1: the peer proposed: 172.16.255.1/32:0/0 -> 192.168.0.0/24:0/0 "L2L-IPSEC-CT" #1: cannot respond to IPsec SA request because no connection is known for 172.16.255.1/32===xx137.133<xx137.133>[+S=C]:1/0...xx157.15<xx157.15>[+S=C]:1/0===192.168.0.0/24 "L2L-IPSEC-CT" #1: sending encrypted notification INVALID_ID_INFORMATION to xx157.15:500

经过一番研究之后，似乎是所提议的允许穿越隧道的networking的一个问题。但是我的configuration都是一样的

思科configuration

 access-list VPN-TRAFFIC-VPS1 line 1 extended permit icmp 192.168.0.0 255.255.255.0 host 172.16.255.1 (hitcnt=422) 0x150f2cfc access-list VPN-TRAFFIC-VPS1 line 2 extended permit ip 192.168.0.0 255.255.255.0 host 172.16.255.1 (hitcnt=42) 0xfd98dbac

Openswan Config

 conn L2L-IPSEC-CT auto=start #automatically start if detected type=tunnel #tunnel mode/not transport compress=no ###THIS SIDE### left=xx137.133 leftsubnet=172.16.255.1/32 ###PEER SIDE### right=xx157.15 rightsubnet=192.168.0.0/24 #phase 1 encryption-integrity-diffhellman keyexchange=ike ike=3des-md5-modp1024,aes256-sha1-modp1024 ikelifetime=86400s authby=secret #use presharedkey #phase 2 encryption-pfsgroup phase2=esp #esp for encryption | ah for authentication only phase2alg=3des-md5;modp1024 pfs=no

我的testing是从192.168.0.200到172.16.255.1 ping：这是show crypto ipsec sa

 asa(config)# show crypto ipsec sa interface: outside Crypto map tag: outside-cmap, seq num: 40, local addr: xx157.15 access-list VPN-TRAFFIC-VPS1 extended permit ip 192.168.0.0 255.255.255.0 host 172.16.255.1 local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.16.255.1/255.255.255.255/0/0) current_peer: xx137.133 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: xx157.15/0, remote crypto endpt.: xx137.133/0 path mtu 1500, ipsec overhead 58(36), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 61AF9F82 current inbound spi : 95CAD3F0

打开天鹅ipsec自动 – 状态

 **000 "L2L-IPSEC-CT": 172.16.255.1/32===xx137.133<xx137.133>[+S=C]...xx157.15<xx157.15>[+S=C]===192.168.0.0/24; erouted; eroute owner: #4 000 "L2L-IPSEC-CT": myip=unset; hisip=unset; 000 "L2L-IPSEC-CT": ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "L2L-IPSEC-CT": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,24; interface: eth0; 000 "L2L-IPSEC-CT": newest ISAKMP SA: #3; newest IPsec SA: #4; 000 "L2L-IPSEC-CT": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2), AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict 000 "L2L-IPSEC-CT": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2), AES_CBC(7)_256-SHA1(2)_160-MODP1024(2) 000 "L2L-IPSEC-CT": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024 000 "L2L-IPSEC-CT": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2); flags=-strict 000 "L2L-IPSEC-CT": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128 000 "L2L-IPSEC-CT": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A> 000 000 #4: "L2L-IPSEC-CT":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27518s; newest IPSEC; eroute owner; isakmp#3; idle; import:admin initiate 000 #4: "L2L-IPSEC-CT" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 000 #3: "L2L-IPSEC-CT":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85221s; newest ISAKMP; lastdpd=1s(seq in:0 out:0); idle; import:admin initiate **

我真的失去了为什么这是行不通的。也许是一套新的眼睛，因为我已经为此工作了3天！哎呀！

感谢你的帮助serverfault社区！

PS是否有任何OpenSwan的命令，我可以用来validation有问题的子网正在拾取隧道“openswan”

好吧，我相信我明白了。

所以，即使我的Openswan盒子不在 NAT后面，并且有一个公网IP的直接网卡，我也必须打开NAT-Traversal。考虑到这一点，我必须添加leftsoureip = 172.16.255.1来告诉Openswan当与Tunnel的右侧进行通信时使用的源地址。我不得不做的最后一件事是启用forceencaps 。出于某种原因，一旦我做了这个隧道开始工作。

 config setup listen=xx137.133 nat_traversal=yes virtual_private=%v:172.16.255.1/32,192.168.0.0/24 oe=off protostack=netkey conn L2L-IPSEC-CT auto=start #automatically start if detected type=tunnel #tunnel mode/not transport compress=no ###THIS SIDE### left=xx137.133 leftid=xx137.133 leftsubnet=172.16.255.1/32 leftsourceip=172.16.255.1 ###PEER SIDE### right=xx157.15 rightid=xx157.15 rightsubnet=192.168.0.0/24 #phase 1 encryption-integrity-diffhellman keyexchange=ike ike=3des-md5-modp1024,aes256-sha1-modp1024 ikelifetime=86400s authby=secret #use presharedkey #phase 2 encryption-pfsgroup phase2=esp #esp for encryption | ah for authentication only phase2alg=3des-md5;modp1024 pfs=no forceencaps=yes