• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

msr830对接威努特防火墙ipesc vpn经常中断

2024-01-18提问
  • 0关注
  • 0收藏,674浏览
粉丝:0人 关注:0人

问题描述:

MSR830路由器为V5版本,对接其它厂商防火墙,使用ipsec vpn,中断时显示ike sa存在,ipsec sa存在,

配置了dpd检测及nat穿越检测

 

 

 

中断时告警

%Jan 14 23:40:52:050 2013 BoKe_RT IKE/4/IKE_PACKET_DROPPED: -Src addr=39.152.40.230-Dst addr=39.152.39.23-I_COOKIE=aa3e939571fae138-R_COOKIE=9ecd82e91c1d048a-Cause=No proposal is chosen-Payload=PROPOSAL; IKE packet dropped.

%Jan 14 23:40:52:081 2013 BoKe_RT IKE/4/IKE_PACKET_DROPPED: -Src addr=39.152.40.230-Dst addr=39.152.39.23-I_COOKIE=aa3e939571fae138-R_COOKIE=9ecd82e91c1d048a-Cause=No proposal is chosen-Payload=PROPOSAL; IKE packet dropped.

在对端安全设备查看ipsec sa显示esp sa未建立

 

5 个回答
粉丝:5人 关注:4人

提示ike问题,配置ike next-payload check disabled不检测载荷试一下



粉丝:3人 关注:0人

中断后能自动恢复么?可以把配置贴出来看看

半个小时左右自动恢复 version 5.20, Release 2516P22 # sysname BoKe_RT # password-control enable undo password-control aging enable undo password-control history enable password-control length 6 password-control login-attempt 3 exceed lock-time 10 password-control password update interval 0 password-control login idle-time 0 password-control complexity user-name check # ike next-payload check disabled # domain default enable system # dns proxy enable # ip ttl-expires enable ip unreachables enable # dar p2p signature-file flash:/p2p_default.mtd # ndp enable # ntdp enable # cluster enable # port-security enable # password-recovery enable # acl number 3000 rule 0 permit ip source 10.140.0.0 0.0.1.255 destination 172.30.77.0 0.0.0.255 rule 1 permit ip source 10.140.0.0 0.0.1.255 destination 172.30.120.0 0.0.0.255 rule 2 permit ip source 10.140.0.0 0.0.1.255 destination 172.30.100.0 0.0.0.255 acl number 3333 description guolv rule 0 deny ip source 10.140.0.0 0.0.1.255 destination 172.30.77.0 0.0.0.255 rule 1 deny ip source 10.140.0.0 0.0.1.255 destination 172.30.120.0 0.0.0.255 rule 2 deny ip source 10.140.0.0 0.0.1.255 destination 172.30.100.0 0.0.0.255 rule 1000 permit ip # vlan 1 # vlan 100 description boxingke # vlan 200 description jingti # domain system access-limit disable state active idle-cut disable self-service-url disable # public-key peer 10.140.0.2 public-key-code begin 308201B73082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381840002818019D6176420CCF2589D1B2765D39F097F1BD7 A05C291613984AA8D03CA882DC02B3E8F351AC3CE79BD8B39FE0B2CFF58BAD9924C044F780 0C7DB133C2348D42C7D4610D5D7677C54C6DE0E4822BAF2597EC29D516AFF150DB6D0FAECF CAB003D1CE6D8BBFC3C1E10274DD81A4877F5A0E57DD50722FB269F860ECE7A3D4B64A53 public-key-code end peer-public-key end # ike proposal 1 encryption-algorithm 3des-cbc dh group2 authentication-algorithm md5 # ike dpd 1 # ike peer 1 proposal 1 pre-shared-key cipher $c$3$/WWjawzzlhivFSyLoy6j9lOioapSu2oCvOLH remote-address 39.152.40.230 local-address 39.152.39.23 nat traversal dpd 1 # ipsec transform-set 1 encapsulation-mode tunnel transform esp esp authentication-algorithm md5 esp encryption-algorithm 3des # ipsec policy boke 1 isakmp security acl 3000 ike-peer 1 remote-address 39.152.40.230 local-address 39.152.39.23 transform-set 1 # ipsec profile 1 # dhcp server ip-pool vlan100 network 10.140.0.0 mask 255.255.254.0 gateway-list 10.140.0.1 dns-list 211.137.32.178 8.8.8.8 # user-group system group-attribute allow-guest # local-user admin authorization-attribute level 3 service-type telnet service-type web local-user ygny authorization-attribute user-role guest-manager service-type ssh service-type web # cwmp undo cwmp enable # interface Cellular0/0 async mode protocol link-protocol ppp tcp mss 1024 # interface NULL0 # interface Vlan-interface100 ip address 10.140.0.1 255.255.254.0 ip address 192.168.1.1 255.255.255.0 sub # interface GigabitEthernet0/0 port link-mode route nat outbound 3333 ip address 39.152.39.23 255.255.255.0 tcp mss 1024 ipsec policy boke # interface GigabitEthernet0/1 port link-mode route tcp mss 1024 # interface GigabitEthernet0/8 port link-mode route tcp mss 1024 # interface GigabitEthernet0/9 port link-mode route tcp mss 1024 # interface GigabitEthernet0/2 port link-mode bridge port access vlan 200 # interface GigabitEthernet0/3 port link-mode bridge description xia0_luyou port access vlan 200 # interface GigabitEthernet0/4 port link-mode bridge description TO_xinyangguang port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 200 # interface GigabitEthernet0/5 port link-mode bridge # interface GigabitEthernet0/6 port link-mode bridge # interface GigabitEthernet0/7 port link-mode bridge description TO_SW port access vlan 100 # nqa entry admin 1 type icmp-echo destination ip 172.30.77.1 frequency 100 reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only source ip 10.140.0.1 # nqa entry admin 2 type icmp-echo destination ip 172.30.100.1 frequency 100 reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only source ip 10.140.0.1 # nqa entry admin 3 type icmp-echo destination ip 172.30.120.1 frequency 100 reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only source ip 10.140.0.1 # ip route-static 0.0.0.0 0.0.0.0 39.152.39.1 # dhcp server forbidden-ip 10.140.0.1 10.140.0.50 # dhcp enable # nqa schedule admin 1 start-time now lifetime forever nqa schedule admin 2 start-time now lifetime forever nqa schedule admin 3 start-time now lifetime forever # ssh server enable ssh user ygny service-type all authentication-type password ssh client authentication server 10.140.0.2 assign publickey 10.140.0.2 # ip https enable # load xml-configuration # load tr069-configuration # user-interface con 0 user-interface tty 13 user-interface vty 0 4 authentication-mode scheme #

草字头 发表时间:2024-01-19 更多>>

半个小时左右自动恢复 version 5.20, Release 2516P22 # sysname BoKe_RT # password-control enable undo password-control aging enable undo password-control history enable password-control length 6 password-control login-attempt 3 exceed lock-time 10 password-control password update interval 0 password-control login idle-time 0 password-control complexity user-name check # ike next-payload check disabled # domain default enable system # dns proxy enable # ip ttl-expires enable ip unreachables enable # dar p2p signature-file flash:/p2p_default.mtd # ndp enable # ntdp enable # cluster enable # port-security enable # password-recovery enable # acl number 3000 rule 0 permit ip source 10.140.0.0 0.0.1.255 destination 172.30.77.0 0.0.0.255 rule 1 permit ip source 10.140.0.0 0.0.1.255 destination 172.30.120.0 0.0.0.255 rule 2 permit ip source 10.140.0.0 0.0.1.255 destination 172.30.100.0 0.0.0.255 acl number 3333 description guolv rule 0 deny ip source 10.140.0.0 0.0.1.255 destination 172.30.77.0 0.0.0.255 rule 1 deny ip source 10.140.0.0 0.0.1.255 destination 172.30.120.0 0.0.0.255 rule 2 deny ip source 10.140.0.0 0.0.1.255 destination 172.30.100.0 0.0.0.255 rule 1000 permit ip # vlan 1 # vlan 100 description boxingke # vlan 200 description jingti # domain system access-limit disable state active idle-cut disable self-service-url disable # public-key peer 10.140.0.2 public-key-code begin 308201B73082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381840002818019D6176420CCF2589D1B2765D39F097F1BD7 A05C291613984AA8D03CA882DC02B3E8F351AC3CE79BD8B39FE0B2CFF58BAD9924C044F780 0C7DB133C2348D42C7D4610D5D7677C54C6DE0E4822BAF2597EC29D516AFF150DB6D0FAECF CAB003D1CE6D8BBFC3C1E10274DD81A4877F5A0E57DD50722FB269F860ECE7A3D4B64A53 public-key-code end peer-public-key end # ike proposal 1 encryption-algorithm 3des-cbc dh group2 authentication-algorithm md5 # ike dpd 1 # ike peer 1 proposal 1 pre-shared-key cipher $c$3$/WWjawzzlhivFSyLoy6j9lOioapSu2oCvOLH remote-address 39.152.40.230 local-address 39.152.39.23 nat traversal dpd 1 # ipsec transform-set 1 encapsulation-mode tunnel transform esp esp authentication-algorithm md5 esp encryption-algorithm 3des # ipsec policy boke 1 isakmp security acl 3000 ike-peer 1 remote-address 39.152.40.230 local-address 39.152.39.23 transform-set 1 # ipsec profile 1 # dhcp server ip-pool vlan100 network 10.140.0.0 mask 255.255.254.0 gateway-list 10.140.0.1 dns-list 211.137.32.178 8.8.8.8 # user-group system group-attribute allow-guest # local-user admin authorization-attribute level 3 service-type telnet service-type web local-user ygny authorization-attribute user-role guest-manager service-type ssh service-type web # cwmp undo cwmp enable # interface Cellular0/0 async mode protocol link-protocol ppp tcp mss 1024 # interface NULL0 # interface Vlan-interface100 ip address 10.140.0.1 255.255.254.0 ip address 192.168.1.1 255.255.255.0 sub # interface GigabitEthernet0/0 port link-mode route nat outbound 3333 ip address 39.152.39.23 255.255.255.0 tcp mss 1024 ipsec policy boke # interface GigabitEthernet0/1 port link-mode route tcp mss 1024 # interface GigabitEthernet0/8 port link-mode route tcp mss 1024 # interface GigabitEthernet0/9 port link-mode route tcp mss 1024 # interface GigabitEthernet0/2 port link-mode bridge port access vlan 200 # interface GigabitEthernet0/3 port link-mode bridge description xia0_luyou port access vlan 200 # interface GigabitEthernet0/4 port link-mode bridge description TO_xinyangguang port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 200 # interface GigabitEthernet0/5 port link-mode bridge # interface GigabitEthernet0/6 port link-mode bridge # interface GigabitEthernet0/7 port link-mode bridge description TO_SW port access vlan 100 # nqa entry admin 1 type icmp-echo destination ip 172.30.77.1 frequency 100 reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only source ip 10.140.0.1 # nqa entry admin 2 type icmp-echo destination ip 172.30.100.1 frequency 100 reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only source ip 10.140.0.1 # nqa entry admin 3 type icmp-echo destination ip 172.30.120.1 frequency 100 reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only source ip 10.140.0.1 # ip route-static 0.0.0.0 0.0.0.0 39.152.39.1 # dhcp server forbidden-ip 10.140.0.1 10.140.0.50 # dhcp enable # nqa schedule admin 1 start-time now lifetime forever nqa schedule admin 2 start-time now lifetime forever nqa schedule admin 3 start-time now lifetime forever # ssh server enable ssh user ygny service-type all authentication-type password ssh client authentication server 10.140.0.2 assign publickey 10.140.0.2 # ip https enable # load xml-configuration # load tr069-configuration # user-interface con 0 user-interface tty 13 user-interface vty 0 4 authentication-mode scheme #

草字头 发表时间:2024-01-19
粉丝:237人 关注:8人

 No proposal is chosen - Payload=PROPOSAL; IKE packet dropped.IKE包 到达时,它没有包含任何被接收方接受的提议(proposal)。在这种情况下,IKE包会被丢弃。

在IKE协商过程中,每一方都会发送一个或多个提议,这些提议描述了它们希望如何加密、认证或处理数据。如果接收方没有选择任何提议,可能是因为提议无效或不被支持,或者是因为配置错误。

解决这个问题通常需要检查和调整IKE配置,确保双方都支持相同的加密和认证算法,并且都正确配置了所有必要的参数。在某些情况下,可能需要升级或更改软件或硬件来支持更新的、更安全的协议或算法。

粉丝:167人 关注:1人

ipsec vpn中断可能有以下几种原因:

您的告警信息显示,IKE协商过程中,没有选择合适的提议,这可能是由于第一种或第二种原因导致的。您可以使用 display ike proposal 命令查看本地的IKE提议配置,与对端的配置进行对比,找出不一致的地方,并进行修改。您还可以使用 display ike sa 命令查看IKE SA的状态,如果状态为MM_NO_STATE,说明IKE协商没有开始或已经失败。

1: IPSec VPN建立失败的原因分析 - 知了社区 

2: IPSec VPN建立失败的原因分析 - 华为 

3: IPSec VPN建立失败的原因分析 - 知了社区 

4: IPSec VPN建立失败的原因分析 - 华为 

5: IPSec VPN建立失败的原因分析 - 知了社区 : [IPSec VPN建立失败的原因分析 - 华为] : [display ike proposal - H3C] : [display ike sa - H3C]

粉丝:20人 关注:9人

您好,请知:


IPSEC VPN故障排查:
1、检查公网地址的连通性
2、检查ipsec acl是否配置正确(两端ACL以互为镜像的方式配置)
3、检查ike keychain/ike profile 协商参数配置是否正确(工作模式、keychain、identity、本端/对端隧道地址或隧道名称、NAT穿越功能v7自适应)
4、检查ipsec proposal(v5平台) /ipsec  transform-set(v7平台)参数两端是否一致(封装模式、安全协议、验证算法、加密算法)
5、检查设备是否创建ipsec策略,并加载协商参数(acl、ike profile 、ipsec  transform-set、对端隧道IP)
6、检查ipsec策略是否应用在正确的接口上
 
IPSEC排查命令:
1、disp ipsec policy
2、disp acl
3、dis cu conf ike-profile
4、dis cu conf ike-keychain
5、display  ike proposal
6、display  ipsec  transform-set
7、disp ike sa (verbose)
8、disp ipsec sa
9、reset ipsec sa
10、reset ike sa

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明