RouterOS 5.16 IPSEC с Cisco ASA 5510 ver. 8.4(2) не работает

Обсуждение ПО и его настройки
Ответить
nrg
Сообщения: 1
Зарегистрирован: 11 июл 2013, 13:37

11 июл 2013, 14:05

Добрый день!

Имеется плата RouterBOARD 750UP. Появилась задача поднять IPSEC-туннель между RouterOS 5.16 и Cisco ASA. При настройке следовал официальной документации (http://wiki.mikrotik.com/wiki/MikroTik_ ... wall_IPSEC). После настройки RouterOS не инициирует соединение с ASA. В логах ASA пусто, слушал сниффером, тоже пусто. другими словами RouterOS не предпринимает ничего для поднятия туннеля, хотя параметр send-initial-contact=yes указан явно. В корректности конфига Cisco уверен, т.к. он проверялся с другим железом и операционными системами (linux/openswan, openbsd 5.3)
Привожу примеры конфигов:

RouterBOARD 750UP:

Настройка IPSEC:
[admin@MikroTik] /ip ipsec> export
# jan/02/1970 00:55:16 by RouterOS 5.16
# software id = J5I2-JTCA
#
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256 lifetime=30m name=default pfs-group=modp1536
/ip ipsec peer
add address=192.168.101.158/32 auth-method=pre-shared-key dh-group=modp1536 disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256 exchange-mode=main generate-policy=no \
hash-algorithm=sha1 lifebytes=0 lifetime=1d my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=obey secret=cisco send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.88.0/24 dst-port=any ipsec-protocols=esp level=require priority=0 proposal=default protocol=all sa-dst-address=192.168.101.158 \
sa-src-address=172.16.31.7 src-address=192.168.10.0/24 src-port=any tunnel=yes

Настройка Firewall:
[admin@MikroTik] /ip firewall> export
# jan/02/1970 00:57:01 by RouterOS 5.16
# software id = J5I2-JTCA
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input disabled=no protocol=ipsec-esp src-address=192.168.101.158
add action=accept chain=customer disabled=no dst-address=192.168.88.0/24 in-interface=ppp-out1 out-interface=ether2-master-local src-address=192.168.10.0/24
/ip firewall nat
add action=accept chain=srcnat disabled=no dst-address=192.168.10.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat disabled=no out-interface=ppp-out1 to-addresses=0.0.0.0

Конфиг Cisco ASA:
# sh run
: Saved
:
ASA Version 8.4(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.101.158 255.255.255.248
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
boot system disk0:/asa842-k8.bin
ftp mode passive
access-list acl_sample extended permit ip 192.168.10.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list acl_sample extended permit ip 192.168.3.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list acl_sample extended permit ip 192.168.10.0 255.255.255.0 192.168.88.0 255.255.255.0
access-list acl_sample extended permit ip 192.168.88.0 255.255.255.0 192.168.10.0 255.255.255.0
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 80.251.56.1 1
route outside 172.16.31.0 255.255.255.0 192.168.101.155 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set sample_ts esp-aes-256 esp-sha-hmac
crypto map sample_cm 1 match address acl_sample
crypto map sample_cm 1 set pfs group5
crypto map sample_cm 1 set peer 172.16.31.4 172.16.31.7
crypto map sample_cm 1 set ikev1 transform-set sample_ts
crypto map sample_cm interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.31.4 type ipsec-l2l
tunnel-group 172.16.31.4 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 172.16.31.7 type ipsec-l2l
tunnel-group 172.16.31.7 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 172.16.3.51 type ipsec-l2l
tunnel-group 172.16.3.51 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group-map enable rules
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/odd ... DCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end


iSupport
Сообщения: 2360
Зарегистрирован: 06 фев 2011, 20:44

13 июл 2013, 14:55

Обратитесь на форум микротик.ком или на саппорт@микротик.ком

там больше опытных товарищей по IPSEC


Граждане, сколько раз просил =) чем понятнее и точнее сформулирован вопрос - тем понятнее и точнее будет на него ответ.
Я просматриваю ВСЕ темы форума и стараюсь помочь в каждой из них
Поэтому, НА ЛС отвечаю в последнюю очередь
Ответить