我正在尝试在 Cisco ASA 5510(7.0(5) 固件,IP 222.222.222.222)和 Watchguard X750e 防火墙(10.2 固件,IP 111.111.111.111)之间设置局域网到局域网 VPN
阶段 1 出现,但随后日志中出现消息“IKE 与远程对等方失去联系,正在删除连接”,并且 ASa 从未启动阶段 2 配置。这可能是什么原因造成的?
日志和配置信息如下,对于难看的文字墙感到抱歉:
从 ASA 端的日志:
Jun 12 2009 21:00:51: %ASA-3-713119: Group = 111.111.111.111, IP = 111.111.111.111, PHASE 1 COMPLETED
Jun 12 2009 21:00:51: %ASA-7-713121: IP = 111.111.111.111, Keep-alive type for this connection: DPD
Jun 12 2009 21:00:51: %ASA-7-713906: Group = 111.111.111.111, IP = 111.111.111.111, Starting phase 1 rekey timer: 64800000 (ms)
Jun 12 2009 21:00:52: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de1)
Jun 12 2009 21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
Jun 12 2009 21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
Jun 12 2009 21:00:52: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=56732dee) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 12 2009 21:00:54: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de2)
Jun 12 2009 21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
Jun 12 2009 21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
Jun 12 2009 21:00:54: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f3add2bd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 12 2009 21:00:54: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
Jun 12 2009 21:00:56: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de3)
Jun 12 2009 21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
Jun 12 2009 21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
Jun 12 2009 21:00:56: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f65762ed) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 12 2009 21:00:57: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
Jun 12 2009 21:00:58: %ASA-3-713123: Group = 111.111.111.111, IP = 111.111.111.111, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
在 Watchguard 结束时:
11:08:36 iked Drop negotiation to peer 222.222.222.222:500 due to phase 1 retry timeout msg_id="0203-5161" Debug
11:08:40 iked WARNING: Mismatched ID settings at peer 222.222.222.222:500 caused an authentication failure msg_id="0203-5156" Debug
11:08:40 iked Process 5/6 Msg : failed to process ID payload Debug
11:17:00 iked Process 5/6 Msg : failed to process ID payload 4 Debug
11:17:00 iked Process INFO_EXCHANGE : EncryptBit set before SA created Debug
11:17:00 iked Cannot process the inform message from 222.222.222.222:500 to 111.111.111.111 cookies i=9a3397be 0547688f r=1665ee71 2185bf5c msg_id="0203-5059" Debug
我们最后的配置如下所示:
object-group network REMOTENETWORK
network-object 215.12.34.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 10.88.88.96 255.255.255.240 object-group REMOTENETWORK
access-list outside_cryptomap_100 extended permit ip 10.88.88.128 255.255.255.224 object-group REMOTENETWORK
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer 111.111.111.111
crypto map outside_map 100 set transform-set ESP-3DES-SHA
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
pre-shared-key SECRETKEY
第 1 阶段和第 2 阶段远程 Watchguard 配置的屏幕截图:
以下是一些有关 IKE SA 不匹配的提示的链接,可能会有所帮助(还有一些调试命令可供查看):
http://www.networkworld.com/subnets/cisco/1114-ch4-ipsec-vpn.html
您是否尝试过禁用 DPD ?不同供应商之间的 DPD 可能工作一般......是否都设置为使用主模式?一遍又一遍地检查设置..
您必须在第一阶段为网关 ip 提供 DNS 名称或 IP 地址。
输入IP地址并在其下方的下拉框中选择IP。