VPN StrongSwan <-> CiscoASA5525X間でのVTIモードでの接続ができない
発生している問題
VPN StrongSwan <-> CiscoASA5525X間でのVTIモードでの接続ができない
要件
- cisco global ip: 202.241.22.167(仮ip)
- strong swan global ip: 52.191.161.64(仮ip)
- static route
- VIT mode
- cisco Tunnel IP: 169.254.8.145/30
- strong swan Tunnel IP: 169.254.8.146/30
- やりたい接続 CiscoASA5525X -> strong swan(AWS EC2) -> 172.31.62.3(AWS EC2)
ping が172.31.62.3に飛べるようになれば良い
おそらくStrongSwanの設定が悪いとは思うのですが、解決できず。。。
ciscoの公式の設定を見てもVTIモードの設定がでてきませんでした。
該当のソースコード
CiscoASA5525X config
!
interface Tunnel15
nameif vti-tunnel15
no cts manual
ip address 169.254.8.145 255.255.255.252
delay 100
tunnel source interface outside
tunnel destination 52.191.161.64
tunnel mode ipsec ipv4
tunnel protection ipsec profile ikev2tunnel
!
crypto ipsec ikev2 ipsec-proposal ikev2FirstSet
protocol esp encryption aes-256
protocol esp integrity sha-256
no crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec profile ikev2tunnel
set ikev2 ipsec-proposal ikev2FirstSet
set pfs group2
set security-association lifetime seconds 3600
!
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
!
object network 52.191.161.64
subnet 52.191.161.64 255.255.255.255
!
tunnel-group 52.191.161.64 type ipsec-l2l
tunnel-group 52.191.161.64 general-attributes
default-group-policy DfltGrpPolicy
tunnel-group 52.191.161.64 ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
route vti-tunnel15 172.31.62.3 255.255.255.255 169.254.8.146 1
!
strong swan config(AWS EC2)
conn ikev2-vpn
type=tunnel
ikelifetime=24h
lifetime=1h
rekeymargin=3m
keyingtries=1
authby=secret
auto=add
ike=sha256-aes256-modp1024
esp=sha256-aes256-modp1024
keyexchange=ikev2
dpdaction=clear
dpddelay=300s
leftid=52.191.161.64
leftsubnet=172.31.62.3
rightid=202.241.22.167
leftsourceip=169.254.8.146
rightsourceip=169.254.8.145