Сообщения без ответов | Активные темы Текущее время: 28 мар 2024, 22:11



Ответить на тему  [ Сообщений: 2 ] 
site to site между FPR1120 и ASA5506 
Автор Сообщение

Зарегистрирован: 18 ноя 2020, 14:02
Сообщения: 30
Добрый вечер. Есть в одном офисе FPR1120 (FDM), в другом офисе АСА 5508. Примерно год назад поднял между ними site to site впн. ВПН работает без проблем. Сеичас понадобилось подключить склад к офису с FPR1120. Для реализации купил для склада АСА 5506. Прошивку взял аналогичную 5508, точнее скачал с нее. Поднял впн полностью с идентичными настройками как у 5508, только согласно своему внешнему ip и внутренней подсети. Сделал аналогичные настройки как для 5508 и на FPR1120. Добавил правила в access control и NAT. Но ВПН так и не поднялся. Debug yf 5506 вообще не показывает какие либо пакеты от FPR1120. Подскажите, как можно еще продиагностировать.
5506:
enable password HhwVL3snhT6SHXZx encrypted
names

!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 192.168.7.1 255.255.255.0

!
interface GigabitEthernet1/8
nameif outside
security-level 0
ip address 213.135.73.11 255.255.255.192
!
boot system disk0:/asa982-33-lfbff-k8.SPA
ftp mode passive
clock timezone MSK/MSD 3
clock summer-time MSK/MDD recurring last Sun Mar 2:00 last Sun Oct 3:00
dns server-group DefaultDNS
domain-name orto.ru
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network orto
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.7.0_24
subnet 192.168.7.0 255.255.255.0
object network lan-subnet
subnet 192.168.7.0 255.255.255.0
object network localforvpn
subnet 192.168.7.0 255.255.255.0
object-group network local
network-object object localforvpn
access-list outside_cryptomap extended permit ip object localforvpn object orto
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any object orto
access-list inside_access_in extended permit ip 192.168.7.0 255.255.255.0 object orto
access-list inside_access_in extended permit ip object NETWORK_OBJ_192.168.7.0_24 any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-openjre-7151.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static localforvpn localforvpn destination static orto orto no-proxy-arp route-lookup
nat (any,any) source static localforvpn localforvpn destination static orto orto no-proxy-arp
!
object network obj_any
nat (any,outside) dynamic interface
object network lan-subnet
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 213.135.*.* 1
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.7.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal IMPEX
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 213.85.*.*
crypto map outside_map 1 set ikev2 ipsec-proposal IMPEX
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
crypto ikev2 policy 5
encryption aes-gcm
integrity null
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.7.0 255.255.255.0 inside
ssh timeout 15
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address 192.168.7.100-192.168.7.200 inside
dhcpd dns 84.47.177.77 85.91.99.99 interface inside
dhcpd domain orto.ru interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
webvpn
anyconnect-essentials
cache
disable
error-recovery disable
group-policy GroupPolicy_213.85.*.* internal
group-policy GroupPolicy_213.85.*.* attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
username denis password z3sYAG28oY2RFkq2 encrypted privilege 15
tunnel-group 213.85.*.* type ipsec-l2l
tunnel-group 213.85.*.* general-attributes
default-group-policy GroupPolicy_213.85.*.*
tunnel-group 213.85.*.* ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:4a51c9d2afde9d35641047fbdb78747c
: end
-----------------------------------------------------------------------
Настройки ВПН 1120 для 5506:
Connection Name: IMPEX-Sklad

Type: Policy Based

VPN Access Interface IP: outside (213.85.*.*)
Network: orto(192.168.3.0/24)

Peer IP Address: 213.135.*.*
Peer Network: sklad(192.168.7.0/24)

IKE Version 2
IKE Policy: aes-256-sha256-sha256-14
IPSec Proposal: aes-256-sha-256
Authentication Type: Pre-shared Manual Key

IKE Version 1: Disabled

IPSec Settings
Lifetime Duration: 28800 seconds
Lifetime Size: 4608000 kilobytes

Additional Options
NAT Exempt: inside (192.168.3.30)

Diffie-Hellman Group: Null (not selected)
----------------------------------------------------
перегрузил сеичас оба маршрутизатора. Debug 5506 выдал следующее:
3 Dec 28 2021 19:20:47 752015 Tunnel Manager has failed to establish an L2L SA.
All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 1.
4 Dec 28 2021 19:20:47 752012
IKEv2 was unsuccessful at setting up a tunnel. Map Tag = outside_map. Map Sequence Number = 1.
4 Dec 28 2021 19:20:47 750003 Local:213.135.*.*:500
Remote:213.85.*.*:500 Username:213.85.*.* IKEv2 Negotiation aborted due to ERROR: Failed to authenticate the IKE SA
5 Dec 28 2021 19:20:47 750001 Local:213.135.*.*:500 Remote:213.85.*.*:500
Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 192.168.7.100-192.168.7.100
Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 192.168.3.5-192.168.3.5 Protocol: 0 Port Range: 0-65535
4 Dec 28 2021 19:20:47 752011 IKEv1 Doesn't have a transform set specified
5 Dec 28 2021 19:20:47 752003 Tunnel Manager dispatching a
KEY_ACQUIRE message to IKEv2. Map Tag = outside_map. Map Sequence Number = 1.


28 дек 2021, 19:20
Профиль

Зарегистрирован: 07 сен 2014, 02:54
Сообщения: 548
Откуда: Msk
ivldenis писал(а):
Connection Name: IMPEX-Sklad
Type: Policy Based

В общем - нужно избавляться от этого legacy и делать нормально с VTI.
Если у вас IP-адреса статика с обеих сторон.

The ASA only supports a static VTI.
The Сisco router does support static and dynamic VTI.

_________________
Knowledge is Power


28 дек 2021, 19:37
Профиль
Показать сообщения за:  Поле сортировки  
Ответить на тему   [ Сообщений: 2 ] 

Кто сейчас на конференции

Сейчас этот форум просматривают: Google [Bot] и гости: 64


Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
Создано на основе phpBB® Forum Software © phpBB Group
Designed by ST Software for PTF.
Русская поддержка phpBB