ipsec野蛮模式不主动向对端发协商报文
- 0关注
- 0收藏,162浏览
问题描述:
现在把原先建立的ipsec配置删除,换了一个对端地址,但查看ike还是和原先对端的地址建立了
ike profile XYT
keychain H3c
dpd interval 60 on-demand
exchange-mode aggressive
local-identity address 59.49.101.9
match remote identity address 59.49.106.180 255.255.255.255
proposal 1
<BG-3/4#-Router>dis ike sa verbose
-----------------------------------------------
Connection ID: 67079
Outside VPN:
Inside VPN:
Profile: XYT
Transmitting entity: Responder
Initiator COOKIE: b571f27a24226ff4
Responder COOKIE: 390f003a33412877
-----------------------------------------------
Tcp encaps: Disabled
Local IP/port: 59.49.101.9/500
Local ID type: IPV4_ADDR
Local ID: 59.49.101.9
Remote IP/port: 1.71.168.219/500
Remote ID type: IPV4_ADDR
Remote ID: 59.49.106.180
<BG-3/4#-Router>*Jul 29 17:51:46:380 2025 BG-3/4#-Router IKE/7/EVENT: Received packet successfully.
*Jul 29 17:51:46:380 2025 BG-3/4#-Router IKE/7/PACKET: vrf = 0, local = 59.49.101.9, remote = 1.71.168.219/500
Received packet from 1.71.168.219 source port 500 destination port 500.
*Jul 29 17:51:46:380 2025 BG-3/4#-Router IKE/7/PACKET: vrf = 0, local = 59.49.101.9, remote = 1.71.168.219/500
I-COOKIE: b571f27a24226ff4
R-COOKIE: 390f003a33412877
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: ENCRYPT
message ID: a8ed6ed9
length: 156
*Jul 29 17:51:46:380 2025 BG-3/4#-Router IKE/7/EVENT: IKE thread 1099108041392 processes a job.
*Jul 29 17:51:46:381 2025 BG-3/4#-Router IKE/7/EVENT: Phase2 process started.
*Jul 29 17:51:46:381 2025 BG-3/4#-Router IKE/7/EVENT: vrf = 0, local = 59.49.101.9, remote = 1.71.168.219/500
Set IPsec SA state to IKE_P2_STATE_INIT.
*Jul 29 17:51:46:381 2025 BG-3/4#-Router IKE/7/PACKET: vrf = 0, local = 59.49.101.9, remote = 1.71.168.219/500
Decrypt the packet.
*Jul 29 17:51:46:381 2025 BG-3/4#-Router IKE/7/PACKET: vrf = 0, local = 59.49.101.9, remote = 1.71.168.219/500
Received ISAKMP Hash Payload.
*Jul 29 17:51:46:381 2025 BG-3/4#-Router IKE/7/PACKET: vrf = 0, local = 59.49.101.9, remote = 1.71.168.219/500
Received ISAKMP Security Association Payload.
*Jul 29 17:51:46:381 2025 BG-3/4#-Router IKE/7/PACKET: vrf = 0, local = 59.49.101.9, remote = 1.71.168.219/500
Received ISAKMP Nonce Payload.
*Jul 29 17:51:46:381 2025 BG-3/4#-Router IKE/7/PACKET: vrf = 0, local = 59.49.101.9, remote = 1.71.168.219/500
Received ISAKMP Identification Payload (IPsec DOI).
*Jul 29 17:51:46:381 2025 BG-3/4#-Router IKE/7/PACKET: vrf = 0, local = 59.49.101.9, remote = 1.71.168.219/500
Received ISAKMP Identification Payload (IPsec DOI).
- 2025-07-30提问
- 举报
-
(0)
最佳答案
确认没业务情况下,reset清除下当前这个老流量的第一第二阶段
reset ike sa XXX
reset ipsec sa XXX
之后,用新的感兴趣流段的电脑去触发下流量或者设备上带源ping去触发建立新的隧道
- 2025-07-30回答
- 评论(3)
- 举报
-
(0)
清除过了,现在配置的不是自动触发吗,流量触发也试过了还是一样
隧道建立一般需要感兴趣流触发,这边如果触发还是一样确认下底层流量是不是走了当前这个ipsec调用接口,可能流量还没引过来,NAT也检查下是否拒绝新的感兴趣流,老的感兴趣流是否删掉了,不然新的流量还是会先被NAT转换掉不触发隧道
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
检查一下调用的acl里面有你使用的流量没有,没命中感兴趣流触发不了