Talon Security: ipsec vpn主模式与野蛮模式，PFS故障

如果一边启用FPS，另一边没有启用PFS，会出现下面报错

May 02 2017 10:09:18: %ASA-5-713119: Group = 183.49.47.106, IP = 183.49.47.106, PHASE 1 COMPLETED
May 02 2017 10:09:18: %ASA-5-713904: Group = 183.49.47.106, IP = 183.49.47.106, All IPSec SA proposals found unacceptable!
May 02 2017 10:09:18: %ASA-3-713902: Group = 183.49.47.106, IP = 183.49.47.106, QM FSM error (P2 struct &0x00007fff9efdb610, mess id 0xbe9ad595)!
May 02 2017 10:09:18: %ASA-3-713902: Group = 183.49.47.106, IP = 183.49.47.106, Removing peer from correlator table failed, no match!
May 02 2017 10:09:18: %ASA-5-713259: Group = 183.49.47.106, IP = 183.49.47.106, Session is being torn down. Reason: Phase 2 Mismatch
May 02 2017 10:09:18: %ASA-4-113019: Group = 183.49.47.106, Username = 183.49.47.106, IP = 183.49.47.106, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
May 02 2017 10:09:18: %ASA-5-713904: IP = 183.49.47.106, Received encrypted packet with no matching SA, dropping

主模式：默认会用接口的IP地址作为隧道组的ID去匹配策略
野蛮模式：可以自定义隧道组的ID，思科默认使用接口IP地址作为ID，远程身份ID与对端的定义的情况，本地身份ID为已经配置好的隧道组名称

-------------------------
May 02 2017 13:38:44: %ASA-5-713119: Group = spoke1, IP = 183.49.47.106, PHASE 1 COMPLETED
May 02 2017 13:38:44: %ASA-5-713076: Group = spoke1, IP = 183.49.47.106, Overriding Initiator's IPSec rekeying duration from 0 to 4608000 Kbs
May 02 2017 13:38:44: %ASA-5-713049: Group = spoke1, IP = 183.49.47.106, Security negotiation complete for LAN-to-LAN Group (spoke1)  Responder, Inbound SPI = 0xc6cb4692, Outbound SPI = 0x92a645aa
May 02 2017 13:38:44: %ASA-5-713120: Group = spoke1, IP = 183.49.47.106, PHASE 2 COMPLETED (msgid=55089711)

-------------------------
May 02 2017 14:56:01: %ASA-5-713119: Group = YUNSHU, IP = 183.49.47.106, PHASE 1 COMPLETED
May 02 2017 14:56:01: %ASA-5-713076: Group = YUNSHU, IP = 183.49.47.106, Overriding Initiator's IPSec rekeying duration from 0 to 4608000 Kbs
May 02 2017 14:56:01: %ASA-5-713049: Group = YUNSHU, IP = 183.49.47.106, Security negotiation complete for LAN-to-LAN Group (YUNSHU)  Responder, Inbound SPI = 0x3f1213b5, Outbound SPI = 0xf0380816
May 02 2017 14:56:01: %ASA-5-713120: Group = YUNSHU, IP = 183.49.47.106, PHASE 2 COMPLETED (msgid=f4d36555)
--------------------------

Talon Security

2017年5月7日星期日

ipsec vpn主模式与野蛮模式，PFS故障

没有评论:

发表评论

我的简介