取消
显示结果 
搜索替代 
您的意思是: 
cancel
18763
查看次数
34
有帮助
26
回复

咨询下ipsec vpn 的问题

wuleihen
Spotlight
Spotlight
本帖最后由 wuleihen 于 2018-8-10 17:32 编辑
客户这里两地方,需要互联,配置IPsecvpn,A点是深信服的VPN设备,B点是asa5508,配置配完后,测试发现A点可以ping通B点内的设备,但B点却ping不通A点的设备地址,麻烦大神排查下,配置如下
A点的地址段是10.132.0.0 255.255.240.0 10.133.0.0 255.255.240.0 10.137.0.0 255.255.240.0
B点的地址段是10.145.0.0 255.255.240.0
: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(1)
!
hostname asa
enable password $sha512$5000$Xre5nuZUSefXJxmsCK3WLw==$258TRrfyVQE031EHivl13g== pbkdf2
passwd PmWaOgPwdORk/oke encrypted
names
!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address
!
interface GigabitEthernet1/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/2.100
vlan 100
nameif wire
security-level 100
ip address 10.145.0.253 255.255.255.0
!
interface GigabitEthernet1/2.102
vlan 102
nameif wireless-guest
security-level 100
ip address 10.145.2.253 255.255.255.0
!
interface GigabitEthernet1/2.103
vlan 103
nameif other-management
security-level 100
ip address 10.145.3.125 255.255.255.128
!
interface GigabitEthernet1/2.104
vlan 104
nameif management
security-level 100
ip address 10.145.3.254 255.255.255.128
!
interface GigabitEthernet1/2.105
vlan 105
nameif wireless-employeer
security-level 100
ip address 10.145.1.253 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network wire
subnet 10.145.0.0 255.255.255.0
object network wireless-employeer
subnet 10.145.1.0 255.255.255.0
object network other-management
subnet 10.145.3.0 255.255.255.128
object network management
subnet 10.145.3.128 255.255.255.128
object network wireless-guest
subnet 10.145.2.0 255.255.255.0
object network local-lan
subnet 10.145.0.0 255.255.240.0
object network remote
subnet 10.132.0.0 255.255.240.0
object network remote-df
subnet 10.137.0.0 255.255.240.0
object network remote-usa
subnet 10.133.0.0 255.255.240.0
access-list ipsecvpn extended permit ip object management object remote
access-list ipsecvpn extended permit ip object management object remote-df
access-list ipsecvpn extended permit ip object management object remote-usa
access-list ipsecvpn extended permit ip object wireless-employeer object remote-df
access-list ipsecvpn extended permit ip object wireless-employeer object remote
access-list ipsecvpn extended permit ip object wireless-employeer object remote-usa
access-list ipsecvpn extended permit ip object wire object remote
access-list ipsecvpn extended permit ip object wire object remote-df
access-list ipsecvpn extended permit ip object wire object remote-usa
access-list ipsecvpn extended permit ip object other-management object remote
access-list ipsecvpn extended permit ip object other-management object remote-df
access-list ipsecvpn extended permit ip object other-management object remote-usa
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu wire 1500
mtu wireless-employeer 1500
mtu wireless-guest 1500
mtu other-management 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (other-management,outside) source static other-management other-management destination static remote remote no-proxy-arp route-lookup
nat (management,outside) source static management management destination static remote remote no-proxy-arp route-lookup
nat (management,outside) source static management management destination static remote-df remote-df no-proxy-arp route-lookup
nat (management,outside) source static management management destination static remote-usa remote-usa no-proxy-arp route-lookup
nat (wireless-employeer,outside) source static wireless-employeer wireless-employeer destination static remote remote no-proxy-arp route-lookup
nat (wireless-employeer,outside) source static wireless-employeer wireless-employeer destination static remote-df remote-df no-proxy-arp route-lookup
nat (wireless-employeer,outside) source static wireless-employeer wireless-employeer destination static remote-usa remote-usa no-proxy-arp route-lookup
nat (other-management,outside) source static other-management other-management destination static remote-df remote-df no-proxy-arp route-lookup
nat (other-management,outside) source static other-management other-management destination static remote-usa remote-usa no-proxy-arp route-lookup
nat (wire,outside) source static wire wire destination static remote remote no-proxy-arp route-lookup
nat (wire,outside) source static wire wire destination static remote-df remote-df no-proxy-arp route-lookup
nat (wire,outside) source static wire wire destination static remote-usa remote-usa no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 ****** 1
route management 10.128.0.0 255.240.0.0 10.132.0.1 1
route wire 10.145.0.0 255.255.255.0 10.145.3.253 1
route wireless-employeer 10.145.1.0 255.255.255.0 10.145.3.253 1
route wireless-employeer 10.132.0.0 255.255.240.0 10.132.0.1 1
route wireless-employeer 10.133.0.0 255.255.240.0 10.132.0.1 1
route wireless-employeer 10.137.0.0 255.255.240.0 10.132.0.1 1
route wireless-guest 10.145.2.0 255.255.255.0 10.145.3.253 1
route other-management 10.145.3.0 255.255.255.128 10.145.3.253 1
route management 10.145.3.128 255.255.255.128 10.145.3.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 10.145.3.0 255.255.255.128 other-management
http 10.145.3.128 255.255.255.128 management
http 10.145.0.0 255.255.255.0 wire
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set transform esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map crymap 1 match address ipsecvpn
crypto map crymap 1 set peer *.*.*.*
crypto map crymap 1 set ikev1 transform-set transform
crypto map crymap interface outside
crypto ca trustpool policy
no crypto isakmp nat-traversal
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside
ssh 10.145.0.0 255.255.255.0 wire
ssh 10.145.3.128 255.255.255.128 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0
dhcpd lease 36000
!
dhcpd address 10.145.0.1-10.145.0.249 wire
dhcpd dns 10.132.0.5 61.147.37.1 interface wire
dhcpd lease 36000 interface wire
dhcpd enable wire
!
dhcpd address 10.145.1.1-10.145.1.249 wireless-employeer
dhcpd dns 10.132.0.5 61.147.37.1 interface wireless-employeer
dhcpd lease 36000 interface wireless-employeer
dhcpd enable wireless-employeer
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy gp internal
group-policy gp attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
username admin password $sha512$5000$VeNcuhzHn/sy0eQMQtWXnA==$9n/wFy2uUi1GwjwATBWblA== pbkdf2
tunnel-group *.*.*.* type ipsec-l2l
tunnel-group *.*.*.* general-attributes
default-group-policy gp
tunnel-group *.*.*.* ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 60 retry 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
!
show crypto ikev1 sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: *.*.*.*
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : aes Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 82425
26 条回复26

Mansur
Spotlight
Spotlight
一边能通说明中间设备的来回路径都没问题。
B到A不通的话,看看故障点在哪,再针对性的排查。
先在去方向的B设备,A设备,目的server上抓包,看看是数据包没到导致的不通,
还是数据包到了,目标没发送回包。或者发送回包中间没转发。

Wubin2010
Spotlight
Spotlight
测试一下感兴趣流匹配的对不对,确认b到a的流量有没有网ipsec里面走

wuleihen
Spotlight
Spotlight
Wubin2010 发表于 2018-8-13 13:06
测试一下感兴趣流匹配的对不对,确认b到a的流量有没有网ipsec里面走

怎么测试是否匹配感兴趣流 ??我对照了两边的访问控制列表都是对应的

13nash
Level 8
Level 8
和深信服我就没配置成功过,建议不要配置

wuleihen
Spotlight
Spotlight
13nash 发表于 2018-8-13 13:42
和深信服我就没配置成功过,建议不要配置

之前是有配置成功过的,只是不稳定,后来重新配置了,导致现在的情况

Mansur
Spotlight
Spotlight
wuleihen 发表于 2018-8-13 14:30
之前是有配置成功过的,只是不稳定,后来重新配置了,导致现在的情况

重启下深信服试试呢。。:(
我们这深信服的行为管理,上个月已经帮他们发现一大一小两个bug了。
大的bug导致断网,小bug是他们给升级过程中发现的.

yssqt5211
Level 1
Level 1
我遇到过 深信服对Polota的设备,起初从Polota那边Ping不通深信服,但是 由深信服先Ping一下就可以了,后来 400 也没找到问题所在,再后来就没再跟那个问题了。

wuleihen
Spotlight
Spotlight
yssqt5211 发表于 2018-8-16 07:30
我遇到过 深信服对Polota的设备,起初从Polota那边Ping不通深信服,但是 由深信服先Ping一下就可以了,后来 ...

唉,不过你的是没问题了,但我这还没通呢。等通了我也不想烦了

Terence.Jh
Spotlight
Spotlight
asa does not support

Rockyw
Spotlight
Spotlight
感觉也是深信服的问题,楼主可以参考一下。
可以按照下面的方法进行排查:
1、检查两端VPN设备是单臂部署,还是网关部署。如果是单臂部署,有没有写回包路由(如何配置回包路由?在VPN设备所指向的网关设备上面写一条静态路由,目的网络是对端内网网段,下一跳交给本端的VPN设备的LAN口)
2、查看本地VPN设备防火墙策略或者内网防火墙设备有做限制
3、在对端设备命令控制台或者通过升级客户端登陆对端设备,测试对端设备和要访问的服务器之间通信是否正常(对端服务器禁ping就可以不用测试)
4、检查对端内网电脑能否正常访问服务器
5、查看对端VPN设备是否做了内网服务权限或者防火墙限制
6、查看服务器是否有对源限制或者多网卡或者出口
以上信息来自深信服论坛的帖子:VPN构建局域网,总部ping不通分部
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rockyw | If it solves your problem, please mark as answer. Thanks !

yssqt5211
Level 1
Level 1
13nash 发表于 2018-8-13 13:42
和深信服我就没配置成功过,建议不要配置

你好 深信服第三方对接VPN 是可以通的。

yssqt5211
Level 1
Level 1
wuleihen 发表于 2018-8-16 08:52
唉,不过你的是没问题了,但我这还没通呢。等通了我也不想烦了

先确定数据包有没有走VPN隧道。

wuleihen
Spotlight
Spotlight
yssqt5211 发表于 2018-8-18 08:30
先确定数据包有没有走VPN隧道。

是的,我tracert发现数据第一跳都是丢失的,应该是NAT豁免之类的问题,但我看客户端是在我的双NAT列表里,

wuleihen
Spotlight
Spotlight
yssqt5211 发表于 2018-8-18 08:29
你好 深信服第三方对接VPN 是可以通的。

是的,之前有测试成功过的,
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接