思科 ASA 到Azure IPSec VPN route based (static route)

思科 ASA 到Azure IPSec VPN route based (static route)

思科 ASA 到Azure IPSec route based (static route)\

今天做了一些非常愚蠢的事，在这里写下来就当自己踩过的坑，避免下次再犯同样的错误。事情是这样的，我们有需求在Cisco ASA 防火墙------到Azure 之间建立一条VPN 通道，使它们之间正常通行即可\

###########################################在实施过程中,其实我遇到三个问题

配置笔误，这个最好有别人帮你检查一下<--这里笔误我已经改好了 NAT 配置错误，我自认为对ASA 蛮熟的，谁知道“大意了” VPN 不通，一定要debug，debug 命令如下在生产环境中，请注意一定要规划好做项目的时间，最好在周末或者凌晨做！

debug crypto condition peer 8.8.8.8 <--peer ip address debug crypto ikev2 protocol 127debug crypto ikev2 platform 127

###########################################

我的需求是 Cisoc ASA side 192.168.80.0/24 到Auze 那里10.0.0.0/24 正常通行。请各位看官帮我排查问题，检查出来证明你牛了，哈哈！！！

重点关注pakcet tracer part. \

#####ASA side 配置 crypto ikev2 policy 2 encryption aes-256 aes-192 aes integrity sha512 sha384 sha256 sha group 14 2 prf sha512 sha384 sha256 sha lifetime seconds 86400 crypto ipsec ikev2 ipsec-proposal Azure-Ipsec-PROP-vpn-2-40.65.166.197 protocol esp encryption aes-256 protocol esp integrity sha-256 crypto ipsec profile Azure-Ipsec-PROF-vpn-2-40.65.166.197 set ikev2 ipsec-proposal Azure-Ipsec-PROP-vpn-2-40.65.166.197 tunnel-group 40.65.166.197 type ipsec-l2l tunnel-group 40.65.166.197 ipsec-attributes ikev2 remote-authentication pre-shared-key ******* ikev2 local-authentication pre-shared-key ******* interface Tunnel6 nameif vti-vpn-2-40.65.166.197 ip address 10.0.1.241 255.255.255.252 #It should be within the 'GatewaySubnet' in Azure 这个没问题， tunnel source interface outside tunnel destination 40.65.166.197 tunnel mode ipsec ipv4 tunnel protection ipsec profile Azure-Ipsec-PROF-vpn-2-40.65.166.197 no shutdown route vti-vpn-2-40.65.166.197 10.0.0.0 255.255.0.0 40.65.166.197 object-group network VPN-LOCAL-Azure network-object 192.168.80.0 255.255.255.0 object-group network VPN-REMOTE-Azure network-object 10.0.0.0 255.255.0.0 nat (any,OUTSIDE) source static VPN-LOCAL-Azure VPN-LOCAL-Azure destination static VPN-REMOTE-Azure VPN-REMOTE-Azure no-proxy-arp

##错误的结果 FW-990037-493100/pri/act# packet-tracer input inSIDE tcp 192.168.80.169 888 10.0.0.4 444 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (any,OUTSIDE) source static VPN-LOCAL-Azure VPN-LOCAL-Azure destination static VPN-REMOTE-Azure VPN-REMOTE-Azure no-proxy-arp Additional Information: NAT divert to egress interface OUTSIDE Untranslate 10.0.0.4/444 to 10.0.0.4/444 Phase: 4 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.80.169 using egress ifc INSIDE Phase: 5 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group 100 in interface INSIDE access-list 100 extended permit ip host 192.168.80.169 10.0.0.0 255.255.255.0 Additional Information: Phase: 6 Type: NAT Subtype: Result: ALLOW Config: nat (any,OUTSIDE) source static VPN-LOCAL-Azure VPN-LOCAL-Azure destination static VPN-REMOTE-Azure VPN-REMOTE-Azure no-proxy-arp Additional Information: Static translate 192.168.80.169/888 to 192.168.80.169/888 Phase: 7 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: FOVER Subtype: standby-update Result: ALLOW Config: Additional Information: Phase: 10 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (any,OUTSIDE) source static VPN-LOCAL-Azure VPN-LOCAL-Azure destination static VPN-REMOTE-Azure VPN-REMOTE-Azure no-proxy-arp Additional Information: Phase: 11 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 12 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 13 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 12627, packet dispatched to next module Phase: 14 Type: SUBOPTIMAL-LOOKUP Subtype: suboptimal next-hop Result: ALLOW Config: Additional Information: ifc selected is not same as preferred ifc Doing route lookup again on ifc OUTSIDE Phase: 15 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 50.56.20.1 using egress ifc OUTSIDE Phase: 16 Type: ADJACENCY-LOOKUP Subtype: next-hop and adjacency Result: ALLOW Config: Additional Information: adjacency Active next-hop mac address 0000.0c9f.f001 hits 15023946 reference 18 Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: allow

#然后正确的结果 > FW-990037-493100/pri/act# packet-tracer input inSIDE tcp 192.168.80.169 888 10.0.0.4 444 Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 40.65.166.197 using egress ifc vti-vpn-2-40.65.166.197 Phase: 4 Type: ROUTE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: found next-hop 192.168.80.169 using egress ifc INSIDE Phase: 5 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group 100 in interface INSIDE access-list 100 extended permit ip host 192.168.80.169 10.0.0.0 255.255.255.0 Additional Information: Phase: 6 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 8 Type: FOVER Subtype: standby-update Result: ALLOW Config: Additional Information: Phase: 9 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 10 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 11 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Phase: 12 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information Phase: 13 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 13573, packet dispatched to next module Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: vti-vpn-2-40.65.166.197 output-status: up output-line-status: up Action: allow

##下面是模版，送给需要的人

Cisco to Azure IKEv2 VPN and Routed Tunnel (VTI) template (static routing) adjust parameters where needed, use caution when modifying existing configuration ## crypto ikev2 policy 1 encryption aes-256 aes-192 integrity sha256 sha group 2 prf sha lifetime seconds 28800 crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC-PROPOSAL-AZURE protocol esp encryption aes-gmac-256 aes-256 protocol esp integrity sha-256 sha-1 crypto ipsec profile AZURE-IPSEC-PROF set ikev2 ipsec-proposal IKEV2-IPSEC-PROPOSAL-AZURE set security-association lifetime seconds 27000 tunnel-group type ipsec-l2l tunnel-group ipsec-attributes ikev2 local-authentication pre-shared-key ikev2 remote-authentication pre-shared-key #NOTE: a single IP will work. You do not need to configure a standby IP address. interface Tunnel no shutdown nameif Azure-sVTI- ip address #It should be within the 'GatewaySubnet' in Azure #more info: https://docs.microsoft.com/en-us/vpn-gateway/vpn-gateway-bgp-overview tunnel source interface tunnel destination tunnel mode ipsec ipv4 tunnel protection ipsec profile AZURE-IPSEC-PROF #if you notice routing issues you may need to add a route from the ASA route Azure-sVTI- #optional sysopt connection preserve-vpn-flows

有BGP路由的模版 ##Cisco to Azure IKEv2 VPN and Routed Tunnel (VTI) template (dynamic routing) The template largely follows the standard IKEv2 template in the "VPN template" wiki ## adjust parameters where needed, use caution when modifying existing configuration ## crypto ikev2 policy 1 encryption aes-256 aes-192 integrity sha256 sha group 2 prf sha lifetime seconds 28800 crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC-PROPOSAL-AZURE protocol esp encryption aes-gmac-256 aes-256 protocol esp integrity sha-256 sha-1 crypto ipsec profile AZURE-IPSEC-PROF set ikev2 ipsec-proposal IKEV2-IPSEC-PROPOSAL-AZURE set security-association lifetime seconds 27000 tunnel-group type ipsec-l2l tunnel-group ipsec-attributes ikev2 local-authentication pre-shared-key ikev2 remote-authentication pre-shared-key #NOTE: a single IP will work. You do not need to configure a standby IP address. interface Tunnel no shutdown nameif Azure-sVTI- ip address #It should be within the 'GatewaySubnet' in Azure #more info: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-overview tunnel source interface tunnel destination tunnel mode ipsec ipv4 tunnel protection ipsec profile AZURE-IPSEC-PROF #BGP configuration prefix-list PREFIX--IN seq 5 permit # - CIDRS ALLOWED IN TO ROUTING TABLE> prefix-list PREFIX--OUT seq 5 permit # - CIDRS ALLOWED ADVERTISED OUT TO BGP PEER> prefix-list PREFIX--OUT seq 10 permit # - CIDRS ALLOWED ADVERTISED OUT TO BGP PEER> prefix-list PREFIX-BGP-STATIC seq 5 permit prefix-list PREFIX-BGP-CONNECTED seq 5 permit prefix-list PREFIX-BGP-CONNECTED seq 10 permit #route maps reference prefix lists route-map ROUTEMAP--IN match ip add prefix-list PREFIX--IN route-map ROUTEMAP--OUT match ip add prefix-list PREFIX--OUT route-map ROUTEMAP-BGP-STATIC match ip add prefix-list PREFIX-BGP-STATIC route-map ROUTEMAP-BGP-CONNECTED match ip add prefix-list PREFIX-BGP-CONNECTED router bgp bgp log-neighbor-changes address-family ipv4 unicast neighbor remote-as neighbor timers 10 30 30 neighbor activate neighbor route-map ROUTEMAP--IN in neighbor route-map ROUTEMAP--OUT out redistribute connected route-map ROUTEMAP-BGP-CONNECTED redistribute static route-map ROUTEMAP-BGP-STATIC no auto-summary no synchronization exit-address-family #you must add a route to the Azure BGP peer IP address (automatically configured out of the Azure gateway subnet) route Azure-sVTI- #optional sysopt connection preserve-vpn-flows

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。