解决USG2200防火墙和ASA5520协商IPSEC VPN不成功问题。

发布时间:  2014-08-25 浏览次数:  1313 下载次数:  0
问题描述
某局点客户使用USG2100防火墙和与cisco设备ASA5520之间协商ipsec VPN,配好后,查看发现两端隧道没有协商起来。

设备拓扑如下:

ASA5520-----负载分担设备----出口路由器-----公网-----出口路由器-----负载分担设备----USG2100

Cisco设备做总部,与其他局点的cisco设备协商隧道没有问题,新增的USG2100接入网后,配置协商IPSEC VPN不成功。

两端设备是经过了负载设备再经过出口设备进入互联网的,出口设备是做了nat的。


告警信息
设备debug如下

*0.2303245820 USG2100 IKE/7/DEBUG:60c01acb 8bfd32a2 6ad41093 a54c8d76 f2bfe42e
*0.2303245820 USG2100 IKE/7/DEBUG:message recv: msg->transport->ifidx 00000182.
*0.2303245830 USG2100 IKE/7/DEBUG:check message duplicate: last_received 0x116a2150
*0.2303245830 USG2100 IKE/7/DEBUG:message free: freeing 11697cf0
*0.2303245830 USG2100 IKE/7/DEBUG:release transport: transport a1581d4 had 2 references
*0.2303245830 USG2100 IKE/7/DEBUG:message parse payloads: payload ID
*0.2303245830 USG2100 IKE/7/DEBUG:message parse payloads: payload HASH, len 12
*0.2303245830 USG2100 IKE/7/DEBUG:message parse payloads: payload HASH
*0.2303245830 USG2100 IKE/7/DEBUG:message parse payloads: payload VENDOR, len 20
*0.2303245830 USG2100 IKE/7/DEBUG:message parse payloads: payload VENDOR
*0.2303245830 USG2100 IKE/7/DEBUG:message parse payloads: payload NONE, len 20
*0.2303245830 USG2100 IKE/7/DEBUG:validate payload ID of message 11698d60
*0.2303245830 USG2100 IKE/7/DEBUG:  id information: type 1 proto 17 port 0
*0.2303245830 USG2100 IKE/7/DEBUG:validate payload HASH of message 11698d60
*0.2303245830 USG2100 IKE/7/DEBUG:validate payload VENDOR of message 11698d60
*0.2303245830 USG2100 IKE/7/DEBUG:dpd_check_vendor_payload: DPD capable peer detected
*0.2303245830 USG2100 IKE/7/DEBUG:  vendor ID seen
*0.2303245840 USG2100 IKE/7/DEBUG:exchange validate: checking for required AUTH
*0.2303245840 USG2100 IKE/7/DEBUG:Enter m_initiator_recv_ID_AUTH
*0.2303245840 USG2100 IKE/7/DEBUG:recv ID: find ike peer by address (0xac100d82) failed !
*0.2303245840 USG2100 IKE/7/DEBUG:message free: freeing 116a2150
*0.2303245840 USG2100 IKE/7/DEBUG:release transport: transport a1583b4 had 1 references
*0.2303245850 USG2100 IKE/7/DEBUG:release transport:: freeing a1583b4
*0.2303245850 USG2100 IKE/7/DEBUG:release transport: transport a217b04 had 2 references
*0.2303245850 USG2100 IKE/7/DEBUG:add transport: adding a1583b4
*0.2303245850 USG2100 IKE/7/DEBUG:transport reference: transport a1583b4 now has 1 references
*0.2303245850 USG2100 IKE/7/DEBUG:transport reference: transport a1583b4 now has 2 references
*0.2303245850 USG2100 IKE/7/DEBUG:message alloc: allocated 116a52a0
*0.2303245850 USG2100 IKE/7/DEBUG:message_recv: message 116a52a0
*0.2303245850 USG2100 IKE/7/DEBUG:message dump: iovec 0:
*0.2303245850 USG2100 IKE/7/DEBUG:a08f28ab 3e8daa91 027af088 2dcfee17 08100501 48ceb09d 0000004c 4dffb101


处理过程
对比两端配置发现两端ACL不是互为映像,修改ACL设置,测试问题依旧。
从两端debug信息来看,思科设备是没经过NAT转换的。

2014-08-2 13:20:50 USG2100 %%01IKE/4/WARNING(l): phase1: cannot find matching ike peer configuration for peer 12.16.13.10,please check "remote-address" and "exchange-mode" in ike peer configuration.
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 12.16.13.10 255.255.255.128
这是ASA5520的协商报文没有经过nat转换跟USG2100协商,USG2100设备配置的remote是cisco nat后的地址,但是USG2100这边收到的消息的地址是没有nat后的。
开启ASA5520设备的NAT穿越功能。

查看
[2100]dis ike sa                                                                                                                
16:57:22  2014/08/21                                                                                                               
current ike sa number: 2                                                                                                           
-----------------------------------------------------------------------------                                                      
conn-id    peer                    flag          phase vpn                                                                         
-----------------------------------------------------------------------------                                                      
62579      <unnamed>               NONE          v1:2  public                                                                      
62580      13.14.10.11:4500    RD|ST         v1:1  public                                                                      
                                                                                                                                   
  flag meaning                                                                                                                     
  RD--READY    ST--STAYALIVE  RL--REPLACED      FD--FADING                                                                         
  TO--TIMEOUT  TD--DELETING   NEG--NEGOTIATING  D--DPD     

该debug信息可以看出是第二阶段协商不起来问题。

*0.2410584530 USG2100 IKE/7/DEBUG:got NOTIFY of type NO_PROPOSAL_CHOSEN   


修改思科配置
crypto ipsec transform-set myset esp-des esp-md5-hmac 

修改USG2100配置

原配置为3des  MD5更改为des  md5,还有USG端更改模式为tunnel模式.

修改后,测试问题解决。



根因
从配置来看两端设备隧道没有协商起来,因此需要查看

1、 看对端500端口详细会话
2、 看对端4500端口详细会话
3、 dis ike sa
4、 debugging ike sa

建议与总结

END