Hallo zusammen,
ich bin neu was vpn angeht und habe nach 2 Wochen rumprobieren fast aufgegeben.
Ich benötige einen vpn Tunnel wischen einem Server mit Public IP und meinem Netzwerk. Ich möchte hier per SNMP vom Server aus einige Geräte abfragen. Das ganze dient lernzwecken und ist nicht als Produktivsystem vorgesehen. Meine Netzwerk sieht so aus:
Server (62.141.xx.xx) –––- (dynamic public ip) Fritzbox (192.168.178.1) ––- (192.168.178.254) Cisico ASA5505 (10.0.0.1) –– 10.0.0.254 (Cisco Switch)
Die ASA kann ich problemlos per SNMP mittels eines Portforwardings in der Firtzbox abfragen, an den Swich komme ich jedoch nicht ran.
Ich habe das ganze mittels Strongswan über ein S2S Tunnel versucht, damit der Server auf IPs im internen Netz also auf 10.0.0.0/24 über den Tunnel zugreifen kann. Das Ganze sollte über IKEV2 mit preshared Key laufen.
Log Strongswan
initiating IKE_SA asa[31] to 87.79.xx.xx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 62.141.38.242[500] to 87.79.xx.xx[500] (1066 bytes)
received packet: from 87.79.134.89[500] to 62.141.xx.xx[500] (521 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V V N(NATD_S_IP) N(NATD_D_IP) V ]
received Cisco Delete Reason vendor ID
received Cisco Copyright (c) 2009 vendor ID
received unknown vendor ID: 43:49:53:43:4f:2d:xx:xx:xx:xx:xx:xx:xx:xx:xx
received FRAGMENTATION vendor ID
remote host is behind NAT
sending cert request for "CN=VPN root CA"
authentication of '62.141.xx.xx' (myself) with pre-shared key
establishing CHILD_SA asa{3}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 62.141.xx.xx[4500] to 87.79.xx.xx[4500] (412 bytes)
received packet: from 87.79.xx.xx[4500] to 62.141.xx.xx[4500] (140 bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
authentication of '192.168.178.254' with pre-shared key successful
IKE_SA asa[31] established between 62.141.xx.xx[62.141.xx.xx]...87.79.xx.xx[192.168.178.254]
scheduling reauthentication in 86078s
maximum IKE_SA lifetime 86258s
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'asa' failedStatus ASA
ciscoasa# %ASA-7-713906: IKE Receiver: Packet received on 192.168.178.254:500 from 62.141.xx.xx:500 %ASA-5-750002: Local:192.168.178.254:500 Remote:62.141.xx.xx:500 Username:Unknown IKEv2 Received a IKE_INIT_SA request %ASA-7-713906: IKE Receiver: Packet received on 192.168.178.254:4500 from 62.141.xx.xx:4500 %ASA-3-751022: Local:192.168.178.254:4500 Remote:62.141.xx.xx:4500 Username:62.141.xx.xx IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 62.141.xx.xx/62.141.xx.xx/0/65535/0 local traffic selector 10.0.0.0/10.0.0.255/0/65535/0! %ASA-5-750006: Local:192.168.178.254:4500 Remote:62.141.xx.xx:4500 Username:62.141.xx.xx IKEv2 SA UP. Reason: New Connection Established IKEv2-PROTO-1: (10): Failed to find a matching policy IKEv2-PROTO-1: (10): Received Policies: IKEv2-PROTO-1: (10): Failed to find a matching policy IKEv2-PROTO-1: (10): Expected Policies: IKEv2-PROTO-1: (10): Failed to find a matching policy IKEv2-PROTO-1: (10):
Strongswan bietet folgende algorytmen an ike=aes192-sha1-modp1536 esp=aes192-sha1
Die ASA kann DES, 3DES, AES, AES192, AES256 (jeweils MD5 / SHA) und Diffie Hellmann Group 5 Ich habe also keine Ahnung warum die Verbindung immer mit
Crypto Map Policy not found for remote traffic selector
Fehlschlägt.
Wäre für jede Hilfe dankbar