• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 全部
  • 全部
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
高级搜索

某局点MSR G2 IPSEC建立失败问题处理经验案例

2018-12-04 发表
  • 0关注
  • 0收藏,1738浏览
孟普 六段
粉丝:1人 关注:0人

组网及说明

某公司总部使用第三方设备,我司设备做为分支出口路由,使用IPSEC与总部建立隧道,发现IPSEC协商失败。


问题描述

分支发起IPSEC建立隧道,发现建立隧道的第一阶段建立成功,第二阶段建立失败。

过程分析

1.查看分支IPSEC配置

interface GigabitEthernet0/2
    port link-mode route
    description =====To_DianXin_WangWai========
    ip address 61.190.XXX.XXX 255.255.255.0
    ipsec apply policy benbu
    #
    acl number 3000
    rule 10 permit ip source 192.168.5.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    #
    ipsec transform-set benbu
    esp encryption-algorithm 3des-cbc
    esp authentication-algorithm md5
    #
    ipsec policy benbu 1 isakmp
    transform-set benbu
    security acl 3000
    remote-address 218.23.XXX.XXX
    ike-profile 1
    sa duration time-based 3600
   #
    ipsec policy benbu local-address GigabitEthernet0/2
   #
    nat static outbound 192.168.5.10 36.34.XXX.XXX   #
    ike nat-keepalive 300
   #
   ike profile 1
   keychain 1
   dpd interval 30 periodic
   exchange-mode aggressive
   match remote identity address 218.23.XXX.XXX 255.255.255.240
   match local address 61.190.XXX.XXX
   proposal 1
  # 
  ike proposal 1
  encryption-algorithm 3des-cbc
  #
  ike keychain 1
  pre-shared-key address 218.23.XXX.XXX 255.255.255.240 key cipher $c$3$nxUC3I9fKO3Mz2vXFkdnuaC88k3ukW0lUQ==


  2、查看IKE SAIPSEC SA的建立情况,,只有IKE SA建立成功,第二阶段协商失败

dis ike sa
    Connection-ID   Remote                Flag         DOI   
------------------------------------------------------------------
    7116            218.23.XXX.XXX        RD           IPSEC 
    7118            218.23.XXX.XXX        RD           IPSEC

3debug查看整个IPSEC的建立过程:

 

*Jan  2 00:27:36:334 2011 XX ROUTER IKE/7/Event: IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.

*Jan  2 00:27:36:335 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:27:36:335 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 5990c5c7f54e8bfc

  R-COOKIE: 5ddd007bb49a8066

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: 8982589f

  length: 164

*Jan  2 00:27:36:337 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

sa

<XX ROUTER>*Jan  2 00:27:37:192 2011 XX ROUTER IKE/7/Event: Delete tunnel, current reference count is [1]

*Jan  2 00:27:37:192 2011 XX ROUTER IKE/7/Packet: Encrypt the packet.

*Jan  2 00:27:37:193 2011 XX ROUTER IKE/7/Packet: Construct delete payload.

*Jan  2 00:27:37:193 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:27:37:193 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 566cba926ded562a

  R-COOKIE: 16e35809727d34ba

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Info

  flags: ENCRYPT

  message ID: fd31c63e                这时候应该要收到对端的回包,然后到IKE_P2_STATE_SA_CREATED阶段,这里没收到回包直接Delete tunnel,,然后又重新协商

  length: 84

*Jan  2 00:27:37:193 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:27:37:195 2011 XX ROUTER IKE/7/Event: Delete tunnel, reference count is [0], tunnel [1] has been freed.

*Jan  2 00:27:37:195 2011 XX ROUTER IKE/7/Packet: Encrypt the packet.

*Jan  2 00:27:37:195 2011 XX ROUTER IKE/7/Packet: Construct delete payload.

*Jan  2 00:27:37:195 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:27:37:196 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 5990c5c7f54e8bfc

  R-COOKIE: 5ddd007bb49a8066

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Info

  flags: ENCRYPT

  message ID: b1e88d5d

  length: 84

*Jan  2 00:27:37:196 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:27:40:634 2011 XX ROUTER IKE/7/Event: Received SA acquire message from IPsec.

*Jan  2 00:27:40:634 2011 XX ROUTER IKE/7/Event: Set IPsec SA state to IKE_P2_STATE_INIT.

*Jan  2 00:27:40:634 2011 XX ROUTER IKE/7/Event: IKE SA not found. Initiate IKE SA negotiation.

*Jan  2 00:27:40:635 2011 XX ROUTER IKE/7/Event: Get profile 1.

  length: 164

*Jan  2 00:27:41:650 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:27:44:380 2011 XX ROUTER IKE/7/Packet: Received packet from 218.23.XXX.XXX source port 500 destination port 500.

*Jan  2 00:27:44:380 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 6f3ebe12d35f5e2d

  R-COOKIE: 0000000000000000

  next payload: SA

  version: ISAKMP Version 1.0

  exchange mode: Aggressive

  flags: 

  message ID: 0

  length: 348

*Jan  2 00:27:44:381 2011 XX ROUTER IKE/7/Event: IKE thread 418149664 processes a job.

*Jan  2 00:27:44:381 2011 XX ROUTER IKE/7/Packet: Begin a new phase 1 negotiation as responder.

*Jan  2 00:27:44:381 2011 XX ROUTER IKE/7/Event: Responder created an SA for peer 218.23.XXX.XXX, local port 500, remote port 500.

*Jan  2 00:27:44:381 2011 XX ROUTER IKE/7/Event: Set IKE SA state to IKE_P1_STATE_INIT.

Debug中最后一次又到这个阶段了,这边一直在发包,但是没有收到对端的回包

*Jan  2 00:28:05:729 2011 XX ROUTER IKE/7/Event: IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.

*Jan  2 00:28:05:730 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:28:05:730 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 48b01d257d003ff3

  R-COOKIE: cf6a63e5527e3afa

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: c36f0942

  length: 164

*Jan  2 00:28:05:731 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:28:08:650 2011 XX ROUTER IKE/7/Packet: Retransmit phase 2 packet.

*Jan  2 00:28:08:650 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:28:08:650 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 566cba926ded562a

  R-COOKIE: 16e35809727d34ba

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: 2ddebef5

  length: 164

*Jan  2 00:28:08:650 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:28:09:650 2011 XX ROUTER IKE/7/Packet: Retransmit phase 2 packet.

*Jan  2 00:28:09:650 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:28:09:650 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 5990c5c7f54e8bfc

  R-COOKIE: 5ddd007bb49a8066

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: 8982589f

  length: 164

*Jan  2 00:28:09:650 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:28:10:650 2011 XX ROUTER IKE/7/Packet: Retransmit phase 2 packet.

*Jan  2 00:28:10:650 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:28:10:650 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: a4b4e08ad48dd81d

  R-COOKIE: 2c14d775f8d60efa

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: 96693d8c

  length: 164

*Jan  2 00:28:10:650 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:28:11:652 2011 XX ROUTER IKE/7/Event: Sending DPD packet of type R_U_THERE with sequence number 25030.

*Jan  2 00:28:11:652 2011 XX ROUTER IKE/7/Packet: Encrypt the packet.

*Jan  2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Construct notification packet: R_U_THERE.

*Jan  2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:28:11:653 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: a4b4e08ad48dd81d

  R-COOKIE: 2c14d775f8d60efa

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Info

  flags: ENCRYPT

  message ID: 66c42362

  length: 84

*Jan  2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Retransmit phase 2 packet.

*Jan  2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:28:11:653 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 48b01d257d003ff3

  R-COOKIE: cf6a63e5527e3afa

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: c36f0942

  length: 164

*Jan  2 00:28:11:654 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

undo debugging all

 

 4.核对两边的配置,发现对端配置了PFS


解决方法

 在ipsec安全提议下加上pfs dh-group2后IPSEC SA正常建立

ipsec transform-set benbu
    esp encryption-algorithm 3des-cbc
    esp authentication-algorithm md5

pfs dh-group2

 

PFS(Perfect Forward Secrecy,完善的前向安全性)是一种安全特性,它解决了密钥之间相互无关性的需求。由于IKE第二阶段协商需要从第一阶段协商出的密钥材料中衍生出用于IPsec SA的密钥,若攻击者能够破解IKE SA的一个密钥,则会非常容易得掌握其衍生出的任何IPsec SA的密钥。使用PFS特性后,IKE第二阶段协商过程中会增加一次DH交换,使得IKE SA的密钥和IPsec SA的密钥之间没有派生关系,即使IKE SA的其中一个密钥被破解,也不会影响它协商出的其它密钥的安全性。

发起方的PFS强度必须大于或等于响应方的PFS强度,否则协商会失败。不配置PFS特性的一端,按照对端的PFS特性要求进行IKE协商。


1 个评论
zhiliao_uiO1s 知了小白
粉丝:0人 关注:0人

你好,这个案例跟我的情况比较相似,我们的总部用的F100,分支机构MSR830,分支发起IPSEC建立隧道,互ping内网不成功,查看日志,防火墙端只有收到包,没有发送包。不知道是不是也是你说的这种情况

编辑评论

举报

×

侵犯我的权益 >
对根叔知了社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔知了社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明

提出建议

    +
<

亲~登录后才可以操作哦!

确定

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作