注册 登录  
 加关注
查看详情
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

欢迎光临shaying110的博客

RSed-ISPing

 
 
 

日志

 
 

ASA5520与PIX525 上配置Site-to-Site VPN  

2012-02-29 16:41:03|  分类: CISCO网络 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

CISCO Site-to-Site VPN又叫L2L VPN。

ASA5520

sh ver

Cisco Adaptive Security Appliance Software Version 8.2(1)
Device Manager Version 6.2(1)

Compiled on Tue 05-May-09 22:45 by builders
System image file is "disk0:/asa821-k8.bin"

 

PIX525

PIX525(config)# SH VER

Cisco PIX Security Appliance Software Version 8.0(2)
Device Manager Version 6.0(2)

Compiled on Fri 15-Jun-07 18:25 by builders
System image file is "flash:/pix802.bin"

 

在两个设备之间配置L2L-VPN时,无论怎么配置都ping不通,DEBUG时出现如想信息:

ASA:

ASA5520-01(config)# sh cry is sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer:X.Y.Z.D
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: A.B.C.E
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG4
   
   
    Feb 29 01:17:51 [IKEv1]: Group = A.B.C.E, IP = A.B.C.E, Removing peer from correlator table failed, no match!
Feb 29 01:17:52 [IKEv1]: Group = A.B.C.E, IP = A.B.C.E, construct_ipsec_delete(): No SPI to identify Phase 2 SA!
Feb 29 01:17:52 [IKEv1]: Group = A.B.C.E, IP = A.B.C.E, Removing peer from correlator table failed, no match!
Feb 29 01:18:01 [IKEv1]: IP = A.B.C.E, Rejecting new IPSec SA negotiation for peer A.B.C.E. A negotiation was already in progress for local Proxy 172.16.30.0/255.255.255.0, remote Proxy 192.168.1.0/255.255.255.0
Feb 29 01:18:01 [IKEv1]: Group = A.B.C.E, IP = A.B.C.E, QM FSM error (P2 struct &0x71dfed10, mess id 0x4bf61385)!

IPSEC(crypto_map_check): crypto map vpn 1 does not hole match for ACL outside_1_cryptomap

IPSEC(crypto_map_check): crypto map vpn  2 does not hole match for ACL outside_2_cryptomap

 

PIX:

PIX525# sh cry is sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: A.B.C.G
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG3

Feb 29 16:20:07 [IKEv1]: Group = A.B.C.G, IP = A.B.C.G, Removing peer from correlator table failed, no match!
Feb 29 16:20:08 [IKEv1]: Group = A.B.C.G, IP = A.B.C.G, QM FSM error (P2 struct &0x5295b68, mess id 0x2c67fbcd)!
Feb 29 16:20:08 [IKEv1]: Group = A.B.C.G, IP = A.B.C.G, Removing peer from correlator table failed, no match!
Feb 29 16:20:09 [IKEv1]: Group = A.B.C.G, IP = A.B.C.G, QM FSM error (P2 struct &0x5295b68, mess id 0x9c5fd705)!

 

最后仔细检查配置后是ASA上的pfs设置不匹配,并不是网上说的ACL不匹配。

公司PIX525配置:
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 172.16.30.0 255.255.255.0 
access-list test_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.30.0 255.255.255.0
nat (test) 0 access-list test_nat0_outbound
nat (test) 1 192.168.1.0 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer A.B.C.G,

crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
 
 tunnel-group A.B.C.G, type ipsec-l2l
tunnel-group A.B.C.G, ipsec-attributes
 pre-shared-key *
 
 
 
 机房ASA5520配置:
 
 access-list sdtc-acc-vpn-ip extended permit ip 172.16.30.0 255.255.255.0 192.168.1.0 255.255.255.0
 access-list outside_3_cryptomap extended permit ip 172.16.30.0 255.255.255.0 192.168.1.0 255.255.255.0 
 
 nat (inside) 0 access-list sdtc-acc-vpn-ip
 
 crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 
 crypto map vpn 1 match address outside_3_cryptomap
crypto map vpn 1 set pfs group1
crypto map vpn 1 set peer A.B.C.E

crypto map vpn 1 set transform-set ESP-3DES-SHA
crypto map vpn interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5     
 group 2
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
 
 
 tunnel-group A.B.C.E type ipsec-l2l
tunnel-group A.B.C.E ipsec-attributes
 pre-shared-key *

修正后,两端可以互访。

  评论这张
 
阅读(2260)| 评论(2)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2018