我正尝试在客户端站点的Ubuntu StrongSwan(在Azure中)和Cisco ASA之间创buildS2S VPN。
目前使用ikev1(思科将不会支持v2几个月),而且它似乎陷入了产生一个思科从不回应的交易。
思科configuration
crypto map outside_map 56 match address xodia_56_cryptomap crypto map outside_map 56 set pfs crypto map outside_map 56 set peer 23.99.58.75 crypto map outside_map 56 set transform-set ESP-AES-256-SHA crypto map outside_map 56 set nat-t-disable tunnel-group 23.99.58.75 type ipsec-l2l tunnel-group 23.99.58.75 ipsec-attributes pre-shared-key ***** network-object host 10.110.120.10 network-object host 10.110.121.10 access-list xodia_56_cryptomap extended permit ip object-group DM_INLINE_NETWORK_86 object-group GROUP1 crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac StrongSwan
closeaction=clear keyexchange=ikev1 dpdaction=clear leftsourceip=%config esp=aes256-modp1024 ike=aes-sha-modp1024 reauth=no mobike=no ikelifetime=86400s keylife=86400s keyingtries=%forever authby=secret left=%any #23.99.58.75 leftid=@local leftfirewall=no leftsubnet=10.110.120.10/32 right=xx.xx.xx.xx rightid=xx.xx.xx.xx rightsubnet=192.168.0.0/24 auto=start
不显示ipsec.secrets – 它通过auth部分
StrongSwan Debug(charondebug =“ike 4,knl 2,cfg 2”)
[IKE] IKE_SA azure[1] state change: CONNECTING => ESTABLISHED [IKE] scheduling rekeying in 85436s [IKE] maximum IKE_SA lifetime 85976s [IKE] queueing MODE_CONFIG task [IKE] activating new tasks [IKE] activating MODE_CONFIG task [IKE] Hash => 20 bytes @ 0x5603d8dc2000 [ENC] generating TRANSACTION request 1632003282 [ HASH CPRQ(ADDR DNS U_SPLITINC U_LOCALLAN) ] [IKE] next IV for MID 1632003282 => 16 bytes @ 0x5603d8dc1440 [IKE] 0: 11 59 2E E1 00 9A 13 5D 39 54 FF F8 05 8B BF 19 .Y.....]9T...... [IKE] next IV for MID 1632003282 => 16 bytes @ 0x5603d8dc1a60 [IKE] 0: 32 F5 3A 90 1C 85 58 B6 00 5F 63 20 AC 0B 38 7F 2.:...X.._c ..8. [NET] sending packet: from 10.110.120.10[500] to xx.xx.xx.xx[500] (92 bytes) [IKE] sending retransmit 1 of request message ID 1632003282, seq 4 [NET] sending packet: from 10.110.120.10[500] to xx.xx.xx.xx[500] (92 bytes) [IKE] sending retransmit 2 of request message ID 1632003282, seq 4 [NET] sending packet: from 10.110.120.10[500] to xx.xx.xx.xx[500] (92 bytes)
最后一个networking跟踪
20:15:34.541555 IP 10.110.120.10.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident 20:15:34.619380 IP xx.xx.xx.xx.500 > 10.110.120.10.500: isakmp: phase 1 R ident 20:15:34.620326 IP 10.110.120.10.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident 20:15:34.698551 IP xx.xx.xx.xx.500 > 10.110.120.10.500: isakmp: phase 1 R ident 20:15:34.699464 IP 10.110.120.10.500 > xx.xx.xx.xx.500: isakmp: phase 1 I ident[E] 20:15:34.777798 IP xx.xx.xx.xx.500 > 10.110.120.10.500: isakmp: phase 2/others ? inf[E] 20:15:34.777806 IP xx.xx.xx.xx.500 > 10.110.120.10.500: isakmp: phase 1 R ident[E] 20:15:34.778195 IP 10.110.120.10.500 > xx.xx.xx.xx.500: isakmp: phase 2/others I #6[E] 20:15:38.778508 IP 10.110.120.10.500 > xx.xx.xx.xx.500: isakmp: phase 2/others I #6[E] 20:15:45.978860 IP 10.110.120.10.500 > xx.xx.xx.xx.500: isakmp: phase 2/others I #6[E]
思科盒子可能不期望模式configuration交换(这是由strongSwan发起的TRANSACTION交换)。 所以尝试删除leftsourceip=%config 。