问

关于防火墙搭建V.PN的问题，F1000-AK115

IPSec VPN

2018-10-21提问

0关注
1收藏，1870浏览

zhiliao_eQYBm

zhiliao_eQYBm 零段

粉丝：0人关注：0人

问题描述：

医院搭建的新农合V.PN，现在不知道为什么隧道建立不起来，我在接入交换机上面做了镜像端口把V.PN的接口镜像到了我自己的电脑上并且抓包，发现没有目标地址是对端的包，是否可以判定为V.PN设备配置或硬件有问题。

组网及组网描述：

最佳答案

已采纳

哈配哈哈配

哈配哈哈配五段

粉丝：1人关注：0人

这个是做的什么vpn呀，我看你的vpn画在交换机和服务器之间，难道是做的gre vpn？

如果是GRE的话，可以参照下面链接的案例看看：

http://www.h3c.com/cn/d_201804/1075309_30005_0.htm#_Toc509595413

1、通过display ike sa 命令查看ike sa的建立情况

<H3C>dis ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

1 34.1.1.2 RD 1 IPSEC

3 34.1.1.2 RD 2 IPSEC

ipsec排查步骤

一阶段无法建立排查步骤；

1）disp ike proposal查看两端的ike proposal是否相同

发起端

disp ike proposal

priority authentication authentication encryption Diffie-Hellman duration

method algorithm algorithm group (seconds)

---------------------------------------------------------------------------

1 PRE_SHARED SHA DES_CBC MODP_768 86400

2 RSA_SIG SHA DES_CBC MODP_768 86400

default PRE_SHARED SHA DES_CBC MODP_768 86400

响应端

disp ike proposal

priority authentication authentication encryption Diffie-Hellman duration

method algorithm algorithm group (seconds)

---------------------------------------------------------------------------

2 RSA_SIG SHA DES_CBC MODP_768 86400

default PRE_SHARED SHA DES_CBC MODP_768 86400

IKE提议在配置的时候具有优先级，使用主模式建立IKE一阶段SA时，发送时按照优先级顺序发送所有的IKE提议，

响应端将收到的IKE提议，依据收到的顺序与本端所有提议进行比较，选中符合的一个继续协商。

若比较失败，则中断协商。

野蛮模式协商能力差的表现为：发起方采用主模式时可以把自己所有的IKE proposal都发过去，但野蛮模式却只能发第一个，这种情况下会出现当第一个不能匹配响应端的安全提议是协商就会失败。

2）通过display ike peer 查看两端的密码是否配置相同

dis ike peer

---------------------------

IKE Peer: r4

exchange mode: aggressive on phase 1

pre-shared-key simple h3c

peer id type: name

peer ip address: 0.0.0.0 ~ 255.255.255.255

local ip address:

peer name: r4

nat traversal: enable

dpd: 1

---------------------------

通过debu ike 报文信息你可以看到如下信息：

ike exchange debugging switch is on

ike error debugging switch is on

当ike 安全提议配置不匹配时在接收端会有以下报错：

%Mar 13 15:56:10:359 2012 H3C IKE/4/IKE_PACKET_DROPPED: IKE packet dropped: (src addr: 34.1.1.2, dst addr: 23.1.1.1) with I_COOKIE ad9a14090ec90cdc and R_COOKIE 0000000000000000, because of 'No proposal is chosen' from payload PROPOSAL.

在发起端的debug信息

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required KEY_EXCH

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required ID

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing...

当ike pre-shared-key 配置有问题时发起端的debug报错信息：

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required KEY_EXCH

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required ID

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required AUTH

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange run: fail to receive message

在这个阶段时

二阶段无法建立排查方法

1）当ipsec proposal 配置不一样时；

通过display ike sa 可以看到：

dis ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

5 34.1.1.1 RD|ST 1 IPSEC

一阶段可以正常建立。

在接收端会有报错信息：

%Mar 14 09:12:08:485 2012 H3C IKE/4/IKE_PACKET_DROPPED: IKE packet dropped: (src addr: 34.1.1.2, dst addr: 23.1.1.1) with I_COOKIE 464e5c94b714eb54 and R_COOKIE c00de3cfe9e93621, because of 'No proposal is chosen' from payload PROPOSAL.

在发起端的debu信息如下：

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange create(i): 80cbf30

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing...

*Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange create(r): 80d2af0

*Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange validate: checking for required INFO

*Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80cbf30

*Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80d2af0

*Mar 14 09:22:00:500 2012 H3C IKE/7/DEBUG: Connection name is 34.1.1.1,34.1.1.2,500,0;#h3c,1-15

*Mar 14 09:22:00:500 2012 H3C IKE/7/DEBUG: Check connection: SA for 34.1.1.1,34.1.1.2,500,0;#h3c,1-15 missing

*Mar 14 09:22:00:500 2012 H3C IKE/7/DEBUG: exchange lookup : name = 34.1.1.1,34.1.1.2,500,0;#h3c,1-15 phase = 2

2）当acl配置不真确时：

在接受端报错信息如下：

%Mar 14 09:25:44:906 2012 H3C IKE/4/IKE_PACKET_DROPPED: IKE packet dropped: (src addr: 34.1.1.2, dst addr: 23.1.1.1) with I_COOKIE 464e5c94b714eb54 and R_COOKIE c00de3cfe9e93621, because of 'No IPSec policy found' from payload PROPOSAL.

在发起端的debu 信息如下：

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange create(i): 80d45f0

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing...

*Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange create(r): 80daf70

*Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange validate: checking for required INFO

*Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80d45f0

*Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80daf70

*Mar 14 09:32:55:485 2012 H3C IKE/7/DEBUG: Connection name is 34.1.1.1,34.1.1.2,500,0;#h3c,1-31

*Mar 14 09:32:55:485 2012 H3C IKE/7/DEBUG: Check connection: SA for 34.1.1.1,34.1.1.2,500,0;#h3c,1-31 missing

*Mar 14 09:32:55:485 2012 H3C IKE/7/DEBUG: exchange lookup : name = 34.1.1.1,34.1.1.2,500,0;#h3c,1-31 phase = 2

排查到此，ipsec 配置问题已经完全结束，下面是正常建立ike时的debu信息。

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange create(i): 80d45f0

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing...

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 1, advancing...

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 2, advancing...

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: finalize exchange: 2d010100/ffffff00 -> c010100/ffffff00

*Mar 14 09:34:38:875 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80d45f0