vpn do IPSec site-to-site do ASA para os endpoints do ipsec-tools do linux para de funcionar após um período de tempo aleatório

Question

vpn do IPSec site-to-site do ASA para os endpoints do ipsec-tools do linux para de funcionar após um período de tempo aleatório

#1 resposta do (3 votos)

6

Nós trocamos para o ASA no fim de semana, e substituímos nossa infra-estrutura VPN que anteriormente era baseada em openvpn e agora estamos usando IPSec entre nossos ASA 5520 e nossos outros sites que possuem roteadores linux (CentOS).

As VPNs se conectam bem, mas após um período as conexões falham. No ASA, não mostra nenhum ipsec SA para o par, mas mostra um isakmp sa ainda ativo. Se eu limpar as SAs nos dois lados da conexão, a VPN voltará a funcionar novamente.

Estou assumindo que o problema é um problema de rekeying, mas parece que todas as propostas têm as mesmas vidas-chave (mostradas abaixo). Qualquer pensamento sobre o que poderia ser o problema?

NOTE - ofusquei os endereços IP dessas capturas; Eu tenho uma suspeita de que algo está errado com a minha proposta para que os IPs não sejam relevantes. Suponha que todos os IPs sejam marcadores de posição.

Criptografia de execução do show ASA


crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map OUTSIDE_DYN_MAP 10 set ikev1 transform-set ESP-3DES-SHA
crypto dynamic-map OUTSIDE_DYN_MAP 10 set security-association lifetime seconds 288000
crypto dynamic-map OUTSIDE_DYN_MAP 10 set reverse-route
crypto map vpnmap 10 match address colo1_to_hq_vpn
crypto map vpnmap 10 set pfs
crypto map vpnmap 10 set peer 1.1.1.1
crypto map vpnmap 10 set ikev1 transform-set ESP-3DES-SHA
crypto map vpnmap 20 match address colo1_to_colo2_vpn
crypto map vpnmap 20 set pfs
crypto map vpnmap 20 set peer 2.2.2.2
crypto map vpnmap 20 set ikev1 transform-set ESP-3DES-SHA
crypto map vpnmap 65500 ipsec-isakmp dynamic OUTSIDE_DYN_MAP
crypto map vpnmap interface OUTSIDE
crypto isakmp identity address
crypto isakmp nat-traversal 300
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

ASA mostra um detalhe de criptografia isakmp


IKEv1 SAs:

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: x.x.x.x
    Type    : L2L             Role    : responder
    Rekey   : no              State   : AM_ACTIVE
    Encrypt : 3des            Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 85905
2   IKE Peer: y.y.y.y
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : 3des            Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 85976

ASA mostra ipsec de criptografia


peer address: x.x.x.x
    Crypto map tag: vpnmap, seq num: 10, local addr: y.y.y.y

      access-list peer1_to_hq_vpn extended permit ip z.z.z.z 255.255.0.0 t.t.t.t 255.255.0.0
      local ident (addr/mask/prot/port): (9.9.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (8.8.0.0/255.255.0.0/0/0)
      current_peer: 38.104.67.142

      #pkts encaps: 4714, #pkts encrypt: 4714, #pkts digest: 4714
      #pkts decaps: 4672, #pkts decrypt: 4672, #pkts verify: 4672
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4714, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 06596006
      current inbound spi : 55EC97A1

    inbound esp sas:
      spi: 0x55EC97A1 (1441568673)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 204800, crypto-map: vpnmap
         sa timing: remaining key lifetime (sec): 85731
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xBFFFFFFF
    outbound esp sas:
      spi: 0x06596006 (106520582)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 204800, crypto-map: vpnmap
         sa timing: remaining key lifetime (sec): 85731
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Configuração do IPSec do CentOS:


TYPE=IPSEC
ONBOOT=YES
IKE_METHOD=PSK
SRCGW=1.1.1.1
DSTGW=2.2.2.2
SRCNET=1.1.1.1/16
DSTNET=2.2.2.2/16
DST=64.34.119.71
AH_PROTO=none

configuração do racoon:


sainfo anonymous
{
        pfs_group 2;
        lifetime time 24 hour;
        encryption_algorithm 3des, blowfish 448, rijndael;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
remote 1.2.3.4
{
        exchange_mode aggressive, main;
        my_identifier address;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

Entradas relevantes de SAD / SPD:


64.34.119.71 38.104.67.142
        esp mode=tunnel spi=106520582(0x06596006) reqid=0(0x00000000)
        E: 3des-cbc  8973cb22 ce1ab25c c4a4427c aac0c857 06917359 9b88e01e
        A: hmac-sha1  3655fb9b e6882226 829f2214 0b22ec27 8155587b
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Apr 16 11:30:43 2012   current: Apr 16 11:36:58 2012
        diff: 375(s)    hard: 86400(s)  soft: 69120(s)
        last: Apr 16 11:30:43 2012      hard: 0(s)      soft: 0(s)
        current: 898519(bytes)  hard: 0(bytes)  soft: 0(bytes)
        allocated: 2749 hard: 0 soft: 0
        sadb_seq=3 pid=12574 refcnt=0
38.104.67.142 64.34.119.71
        esp mode=tunnel spi=1441568673(0x55ec97a1) reqid=0(0x00000000)
        E: 3des-cbc  0f5bdfdc 23b140f8 4636326f f194fa0d 6a919f28 a6974b5f
        A: hmac-sha1  586e3bf7 794960e1 e9da8707 5863e94d e88e0a11
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Apr 16 11:30:43 2012   current: Apr 16 11:36:58 2012
        diff: 375(s)    hard: 86400(s)  soft: 69120(s)
        last: Apr 16 11:30:43 2012      hard: 0(s)      soft: 0(s)
        current: 645624(bytes)  hard: 0(bytes)  soft: 0(bytes)
        allocated: 2764 hard: 0 soft: 0
        sadb_seq=0 pid=12574 refcnt=0

1.1.0.0/16[any] 2.2.0.0/16[any] any
        in prio def ipsec
        esp/tunnel/1.1.1.1-2.2.2.2/require
        created: Apr 16 11:30:12 2012  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=12784 seq=59 pid=12583
        refcnt=1

2.2.0.0/16[any] 1.1.0.0/16[any] any
        out prio def ipsec
        esp/tunnel/1.1.1.1-2.2.2.2/require
        created: Apr 16 11:30:12 2012  lastused: Apr 16 11:37:59 2012
        lifetime: 0(s) validtime: 0(s)
        spid=12777 seq=57 pid=12583
        refcnt=402

1.1.0.0/16[any] 2.2.0.0/16[any] any
        fwd prio def ipsec
        esp/tunnel/1.1.1.1-2.2.2.2/require
        created: Apr 16 11:30:12 2012  lastused: Apr 16 11:37:59 2012
        lifetime: 0(s) validtime: 0(s)
        spid=12794 seq=55 pid=12583
        refcnt=54

cisco ipsec linux cisco-asa racoon

por Peter Grace 16.04.2012 / 17:48

1 resposta

Tags cisco ipsec linux cisco-asa racoon

Por que um 413 não pode ser liberado para o cliente imediatamente? nginx error_page para 502 erros de gateway inválidos

score 3 · Accepted Answer

A causa do problema foi que a versão do racoon no CentOS (ipsec-tools-0.6.5) parecia ter um bug no que diz respeito à digitação adequada. Eu compilei as últimas ipsec-tools da origem e o problema não ocorreu como resultado.

TL; DR - Atualize o ipsec-tools antes de bater a cabeça repetidamente na parede.