Перейти к содержимому
Калькуляторы

Mikrtik + Cisco ASA IPsec

Всем привет, пытаюсь настроить VPN между Mikrotik RouterBoard RB951 и Cisco ASA 5505:

у микротика настроено 2 интерфейса: 10.34.1.50 - внешний, 192.168.88.1 - интерфейс внутренней сети

у Cisco ASA настроено 2 SVI: vlan1 10.34.1.51 - внешний; vlan2 192.168.1.1 - интерфейс другой внутренней сети. Конфиг Cisco ASA:

: Saved

:

ASA Version 7.2(4)

!

hostname ASA

enable password 2KFQnbNIdI.2KYOU encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif outside

security-level 0

ip address 10.34.1.51 255.255.254.0

!

interface Vlan2

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/0

!

interface Ethernet0/1

switchport access vlan 2

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

ftp mode passive

clock timezone MSD 4

access-list HELP_ACL extended permit ip 192.168.1.0 255.255.255.0 192.168.88.0 255.255.255.0

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (inside) 1 interface

nat (outside) 1 0.0.0.0 0.0.0.0

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

http server enable

http 192.168.1.0 255.255.255.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set DES_SHA esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 144000

crypto map TEST_MAP 10 match address HELP_ACL

crypto map TEST_MAP 10 set pfs

crypto map TEST_MAP 10 set peer 10.34.1.50

crypto map TEST_MAP 10 set transform-set DES_SHA

crypto map TEST_MAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 1800

client-update enable

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config inside

!

 

tunnel-group 10.34.1.50 type ipsec-l2l

tunnel-group 10.34.1.50 ipsec-attributes

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

message-length maximum client auto

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:b82ecf870d8dcc3c3c233f112298e761

: end

 

 

 

Настройки VPN Mikrotik приложены в картинках. На вкладке Installed SAs периодически появляются и исчезают SAs.

При отладке debug crypto isakmp 7 выводятся следующие сообщения:

 

 

ASA# Apr 24 16:14:51 [iKEv1]: IP = 10.34.1.50, Received encrypted packet with no matching SA, dropping

Apr 24 16:15:01 [iKEv1]: IP = 10.34.1.50, Received encrypted packet with no matching SA, dropping

Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 104

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, processing SA payload

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, Oakley proposal is acceptable

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, processing VID payload

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, Received DPD VID

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, processing IKE SA payload

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 2

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, constructing ISAKMP SA payload

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, constructing Fragmentation VID + extended capabilities payload

Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108

Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 188

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, processing ke payload

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, processing ISA_KE payload

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, processing nonce payload

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, constructing ke payload

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, constructing nonce payload

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, constructing Cisco Unity VID payload

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, constructing xauth V6 VID payload

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, Send IOS VID

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, constructing VID payload

Apr 24 16:15:15 [iKEv1 DEBUG]: IP = 10.34.1.50, Send Altiga/Cisco VPN3000/Cisco ASA GW VID

Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, Connection landed on tunnel_group 10.34.1.50

Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, Generating keys for Responder...

Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256

Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60

Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing ID payload

Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing hash payload

Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, Computing hash for ISAKMP

Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, Connection landed on tunnel_group 10.34.1.50

Apr 24 16:15:15 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, Freeing previously allocated memory for authorization-dn-attributes

Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing ID payload

Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing hash payload

Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, Computing hash for ISAKMP

Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing dpd vid payload

Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 80

Apr 24 16:15:15 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, PHASE 1 COMPLETED

Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, Keep-alive type for this connection: DPD

Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, Starting P1 rekey timer: 1350 seconds.

Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, sending notify message

Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing blank hash payload

Apr 24 16:15:15 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing qm hash payload

Apr 24 16:15:15 [iKEv1]: IP = 10.34.1.50, IKE_DECODE SENDING Message (msgid=163c7a52) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, Sending keep-alive of type DPD R-U-THERE (seq number 0x6471339c)

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing blank hash payload

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing qm hash payload

Apr 24 16:15:16 [iKEv1]: IP = 10.34.1.50, IKE_DECODE SENDING Message (msgid=88e17178) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

Apr 24 16:15:16 [iKEv1]: IP = 10.34.1.50, IKE_DECODE RECEIVED Message (msgid=8c477232) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing hash payload

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing notify payload

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x6471339c)

Apr 24 16:15:16 [iKEv1]: IP = 10.34.1.50, IKE_DECODE RECEIVED Message (msgid=a1994cf2) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 292

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing hash payload

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing SA payload

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing nonce payload

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing ke payload

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing ISA_KE for PFS in phase 2

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing ID payload

Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.88.0, Mask 255.255.255.0, Protocol 0, Port 0

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing ID payload

Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, Received local IP Proxy Subnet data in ID Payload: Address 192.168.1.0, Mask 255.255.255.0, Protocol 0, Port 0

Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, QM IsRekeyed old sa not found by addr

Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, Static Crypto Map check, checking map = TEST_MAP, seq = 10...

Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, Static Crypto Map check, map TEST_MAP, seq = 10 is a successful match

Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, IKE Remote Peer configured for crypto map: TEST_MAP

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, processing IPSec SA payload

Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, All IPSec SA proposals found unacceptable!

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, sending notify message

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing blank hash payload

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing ipsec notify payload for msg id a1994cf2

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing qm hash payload

Apr 24 16:15:16 [iKEv1]: IP = 10.34.1.50, IKE_DECODE SENDING Message (msgid=f5c3cc1d) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, QM FSM error (P2 struct &0x175bec8, mess id 0xa1994cf2)!

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, IKE QM Responder FSM error history (struct &0x175bec8) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, sending delete/delete with reason message

Apr 24 16:15:16 [iKEv1]: Group = 10.34.1.50, IP = 10.34.1.50, Removing peer from correlator table failed, no match!

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, IKE SA MM:0ddf4fef rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, IKE SA MM:0ddf4fef terminating: flags 0x01000002, refcnt 0, tuncnt 0

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, sending delete/delete with reason message

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing blank hash payload

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing IKE delete payload

Apr 24 16:15:16 [iKEv1 DEBUG]: Group = 10.34.1.50, IP = 10.34.1.50, constructing qm hash payload

Apr 24 16:15:16 [iKEv1]: IP = 10.34.1.50, IKE_DECODE SENDING Message (msgid=c9b9dc3a) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Apr 24 16:15:26 [iKEv1]: IP = 10.34.1.50, Received encrypted packet with no matching SA, dropping

Apr 24 16:15:36 [iKEv1]: IP = 10.34.1.50, Received encrypted packet with no matching SA, dropping

Поделиться сообщением


Ссылка на сообщение
Поделиться на других сайтах

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Гость
Ответить в тему...

×   Вставлено в виде отформатированного текста.   Вставить в виде обычного текста

  Разрешено не более 75 смайлов.

×   Ваша ссылка была автоматически встроена.   Отобразить как ссылку

×   Ваш предыдущий контент был восстановлен.   Очистить редактор

×   Вы не можете вставить изображения напрямую. Загрузите или вставьте изображения по ссылке.