组网如图:
VPN1与VPN2建立GRE OVER IPSEC,VPN1与VPN2的GRE的tunnel地址分别为10.0.0.1与10.0.0.2,隧道源目地址分别为11.11.11.11与22.22.22.22,内网分别使用Loopback10与loopback20代替,GRE保护的内网地址通过OSPF打通,建立IPSEC的公网地址通过静态路由打通
不涉及
问题描述:
现场IPSEC隧道已经建立,但是VPN1与VPN2的LOOPBAKC地址无法互通
[VPN1]ping -a 1.1.1.1 2.2.2.2
Ping 2.2.2.2 (2.2.2.2) from 1.1.1.1: 56 data bytes, press CTRL+C to break
Request time out
Request time out
Request time out
Request time out
Request time out
[H3C]dis ipsec sa
-------------------------------
Interface: GigabitEthernet0/0
-------------------------------
-----------------------------
IPsec policy: vpn
Sequence number: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Transmitting entity: Initiator
Path MTU: 1428
Tunnel:
local address: 202.0.0.1
remote address: 203.0.0.1
Flow:
sour addr: 11.11.11.11/255.255.255.255 port: 0 protocol: ip
dest addr: 22.22.22.22/255.255.255.255 port: 0 protocol: ip
问题分析:
排查分析发现以tunnel口建立的OSPF邻居一直在down与full之间震荡,查看VPN1的配置,发现VPN1的OSPF将202.0.0.1公网地址network了,
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.0.0.0 0.0.0.3
network 202.0.0.1 0.0.0.0
具体分析如下:
当OSPF邻居down的时候,HELLO报文封装IPSEC公网头,通过默认路由发出,但是当OSPF邻居建立之后,因为202.0.0.1被宣告了,所以该地址也要封装,封装之后还是202.0.0.1,然后再走封装,如此无线循环封装
[H3C]%Apr 11 16:23:53:008 2022 H3C IFNET/5/LINK_UPDOWN: Line protocol state on the interface Tunnel0 changed to down.
%Apr 11 16:23:53:010 2022 H3C OSPF/5/OSPF_NBR_CHG: OSPF 1 Neighbor 10.0.0.2(Tunnel0) changed from FULL to DOWN.
[H3C]
[H3C]%Apr 11 16:24:03:012 2022 H3C IFNET/5/LINK_UPDOWN: Line protocol state on the interface Tunnel0 changed to up.
%Apr 11 16:24:03:031 2022 H3C OSPF/5/OSPF_NBR_CHG: OSPF 1 Neighbor 10.0.0.2(Tunnel0) changed from LOADING to FULL.
解决方案:
在VPN1设备的OSPF中,将VPN1的公网202.0.0.1不进行宣告,此时VPN1的Loopbakc地址就能ping通VPN2设备的loobpack地址了
[VPN1-ospf-1-area-0.0.0.0]undo network 202.0.0.1 0.0.0.0
[VPN1]ping -a 1.1.1.1 2.2.2.2
Ping 2.2.2.2 (2.2.2.2) from 1.1.1.1: 56 data bytes, press CTRL+C to break
56 bytes from 2.2.2.2: icmp_seq=0 ttl=255 time=2.000 ms
56 bytes from 2.2.2.2: icmp_seq=1 ttl=255 time=2.000 ms
56 bytes from 2.2.2.2: icmp_seq=2 ttl=255 time=3.000 ms
56 bytes from 2.2.2.2: icmp_seq=3 ttl=255 time=3.000 ms
56 bytes from 2.2.2.2: icmp_seq=4 ttl=255 time=2.000 ms
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作