Cisco ASA 5510(7.0(5) 펌웨어, IP 222.222.222.222)과 Watchguard X750e 방화벽(10.2 펌웨어, IP 111.111.111.111) 사이에 lan-to-lan VPN을 설정하려고 합니다.
1단계가 시작되지만 "IKE가 원격 피어와의 연결이 끊겼습니다. 연결을 삭제 중입니다"라는 메시지가 로그에 나타나고 ASa는 2단계 구성을 시작하지 않습니다. 이 문제의 원인은 무엇입니까?
로그 및 구성 정보는 다음과 같습니다. 보기 흉한 텍스트 벽에 대해 죄송합니다.
ASA 끝의 로그에서:
Jun 12 2009 21:00:51: %ASA-3-713119: Group = 111.111.111.111, IP = 111.111.111.111, PHASE 1 COMPLETED
Jun 12 2009 21:00:51: %ASA-7-713121: IP = 111.111.111.111, Keep-alive type for this connection: DPD
Jun 12 2009 21:00:51: %ASA-7-713906: Group = 111.111.111.111, IP = 111.111.111.111, Starting phase 1 rekey timer: 64800000 (ms)
Jun 12 2009 21:00:52: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de1)
Jun 12 2009 21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
Jun 12 2009 21:00:52: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
Jun 12 2009 21:00:52: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=56732dee) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 12 2009 21:00:54: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de2)
Jun 12 2009 21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
Jun 12 2009 21:00:54: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
Jun 12 2009 21:00:54: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f3add2bd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 12 2009 21:00:54: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
Jun 12 2009 21:00:56: %ASA-7-715036: Group = 111.111.111.111, IP = 111.111.111.111, Sending keep-alive of type DPD R-U-THERE (seq number 0x66612de3)
Jun 12 2009 21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing blank hash payload
Jun 12 2009 21:00:56: %ASA-7-715046: Group = 111.111.111.111, IP = 111.111.111.111, constructing qm hash payload
Jun 12 2009 21:00:56: %ASA-7-713236: IP = 111.111.111.111, IKE_DECODE SENDING Message (msgid=f65762ed) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 12 2009 21:00:57: %ASA-7-713906: Received unexpected event EV_RESEND_MSG in state MM_REKEY_DONE_H2
Jun 12 2009 21:00:58: %ASA-3-713123: Group = 111.111.111.111, IP = 111.111.111.111, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
그리고 Watchguard 끝에서:
11:08:36 iked Drop negotiation to peer 222.222.222.222:500 due to phase 1 retry timeout msg_id="0203-5161" Debug
11:08:40 iked WARNING: Mismatched ID settings at peer 222.222.222.222:500 caused an authentication failure msg_id="0203-5156" Debug
11:08:40 iked Process 5/6 Msg : failed to process ID payload Debug
11:17:00 iked Process 5/6 Msg : failed to process ID payload 4 Debug
11:17:00 iked Process INFO_EXCHANGE : EncryptBit set before SA created Debug
11:17:00 iked Cannot process the inform message from 222.222.222.222:500 to 111.111.111.111 cookies i=9a3397be 0547688f r=1665ee71 2185bf5c msg_id="0203-5059" Debug
우리 측의 구성은 다음과 같습니다.
object-group network REMOTENETWORK
network-object 215.12.34.0 255.255.255.0
access-list outside_cryptomap_100 extended permit ip 10.88.88.96 255.255.255.240 object-group REMOTENETWORK
access-list outside_cryptomap_100 extended permit ip 10.88.88.128 255.255.255.224 object-group REMOTENETWORK
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set peer 111.111.111.111
crypto map outside_map 100 set transform-set ESP-3DES-SHA
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
pre-shared-key SECRETKEY
1단계와 2단계의 원격 Watchguard 구성 스크린샷:
답변1
다음은 도움이 될 수 있는 IKE SA 불일치에 대한 몇 가지 팁에 대한 링크입니다(다루어 볼 수 있는 디버그 명령도 있음).
http://www.networkworld.com/subnets/cisco/1114-ch4-ipsec-vpn.html
답변2
DPD를 비활성화해 보셨나요? 서로 다른 공급업체 간의 DPD가 작동할 수도 있습니다. 두 장치 모두 기본 모드를 사용하도록 설정되어 있습니까? 설정을 계속해서 살펴보세요..
답변3
1단계에서 게이트웨이 IP에 DNS 이름이나 IP 주소를 제공해야 합니다.
IP 주소를 입력하고 그 아래 드롭다운 상자에서 IP를 선택합니다.