取消
显示结果 
搜索替代 
您的意思是: 
cancel
6442
查看次数
0
有帮助
8
回复

VTI形式配置ipsec,请求没有被ipsec封装

ewrq1987
Level 1
Level 1
大家好!
我的设备是asa 5525 ,通过VTI形式配置的Ipsec ,现在隧道两端状态都是UP的,对端ping我是OK的,我ping对端则不通, packet-tracer 的显示似乎没有被IPSEC处理。显示结果如下,请大神门帮忙分析分析是啥原因!
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside2,dmz) source static inside2 inside2 destination static NoNat NoNat
Additional Information:
NAT divert to egress interface dmz
Untranslate 10.244.33.23/80 to 10.244.33.23/80
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside2,dmz) source static inside2 inside2 destination static NoNat NoNat
Additional Information:
Static translate 192.168.237.241/9000 to 192.168.237.241/9000
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside2,dmz) source static inside2 inside2 destination static NoNat NoNat
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 894594445, packet dispatched to next module
Phase: 9
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information:
ifc selected is not same as preferred ifc
Doing route lookup again on ifc dmz
Phase: 10
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 49.4.132.209 using egress ifc dmz
Phase: 11
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 4cb1.6c90.6071 hits 4647 reference 84
Result:
input-interface: inside2
input-status: up
input-line-status: up
output-interface: dmz
output-status: up
output-line-status: up
Action: allow
8 条回复8

ewrq1987
Level 1
Level 1
求关注!

YilinChen
Spotlight
Spotlight
ASA支持基于SVTI方式配置IPSecVPN 么?楼主还是把配置贴上来吧:P
如果2端Tunnel都UP,就是考虑路由问题,感兴趣流有没有匹配上

ewrq1987
Level 1
Level 1
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto ipsec ikev1 transform-set AWS esp-aes esp-sha-hmac
crypto ipsec profile AWS
set ikev1 transform-set AWS
set pfs group2
set security-association lifetime seconds 3600
tunnel-group 52.34.205.227 type ipsec-l2l
tunnel-group 52.34.205.227 ipsec-attributes
ikev1 pre-shared-key QZhh90Bjf
isakmp keepalive threshold 10 retry 10
tunnel-group 52.37.194.219 type ipsec-l2l
tunnel-group 52.37.194.219 ipsec-attributes
ikev1 pre-shared-key JjxCWy4Ae
isakmp keepalive threshold 10 retry 10
interface Tunnel1
nameif AWS1
ip address 169.254.13.190 255.255.255.252
tunnel source interface outside
tunnel destination 52.34.205.227
tunnel mode ipsec ipv4
tunnel protection ipsec profile AWS
!
interface Tunnel2
nameif AWS2
ip address 169.254.12.86 255.255.255.252
tunnel source interface outside
tunnel destination 52.37.194.219
tunnel mode ipsec ipv4
tunnel protection ipsec profile AWS
router bgp 65000
bgp log-neighbor-changes
timers bgp 10 30 0
address-family ipv4 unicast
neighbor 169.254.12.85 remote-as 7224
neighbor 169.254.12.85 activate
neighbor 169.254.13.189 remote-as 7224
neighbor 169.254.13.189 activate
network 192.168.1.0
no auto-summary
no synchronization
exit-address-family
nat (inside,outside) source static inside inside destination static NoNat NoNat
object network inside
nat (inside1,outside) dynamic interface

ewrq1987
Level 1
Level 1
目前已定位是nat的问题,把nat相关语句no掉之后,vpn就通了,就是不知道如何避免这个问题,正常情况下Phase: 5 应该是vpn来处理,但是加上nat之后VPN就不会处理这个流量,而是NAT再检查一遍,实在搞不懂这个原理,求解答!

YilinChen
Spotlight
Spotlight
配置Twice-NAT, 把需要通过IPSECVPN TUNNEL的流量,分离出来,不被全局的PAT命中

ewrq1987
Level 1
Level 1
这个问题我已经解决了,现在又出来一个新的问题,我发起的请求一下通一下不通,很奇怪。

YilinChen
Spotlight
Spotlight
ewrq1987@qq.com 发表于 2019-5-21 10:32
这个问题我已经解决了,现在又出来一个新的问题,我发起的请求一下通一下不通,很奇怪。

看楼主贴的配置,是2个Tunnel,推测对应AWS是同一个Region里的2个可用区,注意数据流量来回路径的一致性。

ewrq1987
Level 1
Level 1
YilinChen 发表于 2019-5-21 15:33
看楼主贴的配置,是2个Tunnel,推测对应AWS是同一个Region里的2个可用区,注意数据流量来回路径的一致性 ...

感谢,问题已定位。
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接