某局点MSR G2 IPSEC建立失败问题处理经验案例

某公司总部使用第三方设备，我司设备做为分支出口路由，使用IPSEC与总部建立隧道，发现IPSEC协商失败。

分支发起IPSEC建立隧道，发现建立隧道的第一阶段建立成功，第二阶段建立失败。

1.查看分支IPSEC配置

interface GigabitEthernet0/2
    port link-mode route
    description =====To_DianXin_WangWai========
    ip address 61.190.XXX.XXX 255.255.255.0
    ipsec apply policy benbu
    #
    acl number 3000
    rule 10 permit ip source 192.168.5.0 0.0.0.255 destination 192.168.3.0 0.0.0.255
    #
    ipsec transform-set benbu
    esp encryption-algorithm 3des-cbc
    esp authentication-algorithm md5
    #
    ipsec policy benbu 1 isakmp
    transform-set benbu
    security acl 3000
    remote-address 218.23.XXX.XXX
    ike-profile 1
    sa duration time-based 3600
   #
    ipsec policy benbu local-address GigabitEthernet0/2
   #
    nat static outbound 192.168.5.10 36.34.XXX.XXX   #
    ike nat-keepalive 300
   #
   ike profile 1
   keychain 1
   dpd interval 30 periodic
   exchange-mode aggressive
   match remote identity address 218.23.XXX.XXX 255.255.255.240
   match local address 61.190.XXX.XXX
   proposal 1
  # 
  ike proposal 1
  encryption-algorithm 3des-cbc
  #
  ike keychain 1
  pre-shared-key address 218.23.XXX.XXX 255.255.255.240 key cipher $c$3$nxUC3I9fKO3Mz2vXFkdnuaC88k3ukW0lUQ==

  2、查看IKE SA和IPSEC SA的建立情况,，只有IKE SA建立成功，第二阶段协商失败

dis ike sa
    Connection-ID   Remote                Flag         DOI   
------------------------------------------------------------------
    7116            218.23.XXX.XXX        RD           IPSEC 
    7118            218.23.XXX.XXX        RD           IPSEC

3、debug查看整个IPSEC的建立过程：

*Jan  2 00:27:36:334 2011 XX ROUTER IKE/7/Event: IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.

*Jan  2 00:27:36:335 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:27:36:335 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 5990c5c7f54e8bfc

  R-COOKIE: 5ddd007bb49a8066

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: 8982589f

  length: 164

*Jan  2 00:27:36:337 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

sa

<XX ROUTER>*Jan  2 00:27:37:192 2011 XX ROUTER IKE/7/Event: Delete tunnel, current reference count is [1]

*Jan  2 00:27:37:192 2011 XX ROUTER IKE/7/Packet: Encrypt the packet.

*Jan  2 00:27:37:193 2011 XX ROUTER IKE/7/Packet: Construct delete payload.

*Jan  2 00:27:37:193 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:27:37:193 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 566cba926ded562a

  R-COOKIE: 16e35809727d34ba

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Info

  flags: ENCRYPT

  message ID: fd31c63e                这时候应该要收到对端的回包，然后到IKE_P2_STATE_SA_CREATED阶段，这里没收到回包直接Delete tunnel,，然后又重新协商

  length: 84

*Jan  2 00:27:37:193 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:27:37:195 2011 XX ROUTER IKE/7/Event: Delete tunnel, reference count is [0], tunnel [1] has been freed.

*Jan  2 00:27:37:195 2011 XX ROUTER IKE/7/Packet: Encrypt the packet.

*Jan  2 00:27:37:195 2011 XX ROUTER IKE/7/Packet: Construct delete payload.

*Jan  2 00:27:37:195 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:27:37:196 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 5990c5c7f54e8bfc

  R-COOKIE: 5ddd007bb49a8066

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Info

  flags: ENCRYPT

  message ID: b1e88d5d

  length: 84

*Jan  2 00:27:37:196 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:27:40:634 2011 XX ROUTER IKE/7/Event: Received SA acquire message from IPsec.

*Jan  2 00:27:40:634 2011 XX ROUTER IKE/7/Event: Set IPsec SA state to IKE_P2_STATE_INIT.

*Jan  2 00:27:40:634 2011 XX ROUTER IKE/7/Event: IKE SA not found. Initiate IKE SA negotiation.

*Jan  2 00:27:40:635 2011 XX ROUTER IKE/7/Event: Get profile 1.

  length: 164

*Jan  2 00:27:41:650 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:27:44:380 2011 XX ROUTER IKE/7/Packet: Received packet from 218.23.XXX.XXX source port 500 destination port 500.

*Jan  2 00:27:44:380 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 6f3ebe12d35f5e2d

  R-COOKIE: 0000000000000000

  next payload: SA

  version: ISAKMP Version 1.0

  exchange mode: Aggressive

  flags: 

  message ID: 0

  length: 348

*Jan  2 00:27:44:381 2011 XX ROUTER IKE/7/Event: IKE thread 418149664 processes a job.

*Jan  2 00:27:44:381 2011 XX ROUTER IKE/7/Packet: Begin a new phase 1 negotiation as responder.

*Jan  2 00:27:44:381 2011 XX ROUTER IKE/7/Event: Responder created an SA for peer 218.23.XXX.XXX, local port 500, remote port 500.

*Jan  2 00:27:44:381 2011 XX ROUTER IKE/7/Event: Set IKE SA state to IKE_P1_STATE_INIT.

Debug中最后一次又到这个阶段了，这边一直在发包，但是没有收到对端的回包

*Jan  2 00:28:05:729 2011 XX ROUTER IKE/7/Event: IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.

*Jan  2 00:28:05:730 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:28:05:730 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 48b01d257d003ff3

  R-COOKIE: cf6a63e5527e3afa

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: c36f0942

  length: 164

*Jan  2 00:28:05:731 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:28:08:650 2011 XX ROUTER IKE/7/Packet: Retransmit phase 2 packet.

*Jan  2 00:28:08:650 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:28:08:650 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 566cba926ded562a

  R-COOKIE: 16e35809727d34ba

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: 2ddebef5

  length: 164

*Jan  2 00:28:08:650 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:28:09:650 2011 XX ROUTER IKE/7/Packet: Retransmit phase 2 packet.

*Jan  2 00:28:09:650 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:28:09:650 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 5990c5c7f54e8bfc

  R-COOKIE: 5ddd007bb49a8066

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: 8982589f

  length: 164

*Jan  2 00:28:09:650 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:28:10:650 2011 XX ROUTER IKE/7/Packet: Retransmit phase 2 packet.

*Jan  2 00:28:10:650 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:28:10:650 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: a4b4e08ad48dd81d

  R-COOKIE: 2c14d775f8d60efa

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: 96693d8c

  length: 164

*Jan  2 00:28:10:650 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:28:11:652 2011 XX ROUTER IKE/7/Event: Sending DPD packet of type R_U_THERE with sequence number 25030.

*Jan  2 00:28:11:652 2011 XX ROUTER IKE/7/Packet: Encrypt the packet.

*Jan  2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Construct notification packet: R_U_THERE.

*Jan  2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:28:11:653 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: a4b4e08ad48dd81d

  R-COOKIE: 2c14d775f8d60efa

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Info

  flags: ENCRYPT

  message ID: 66c42362

  length: 84

*Jan  2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

*Jan  2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Retransmit phase 2 packet.

*Jan  2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.

*Jan  2 00:28:11:653 2011 XX ROUTER IKE/7/Packet:

  I-COOKIE: 48b01d257d003ff3

  R-COOKIE: cf6a63e5527e3afa

  next payload: HASH

  version: ISAKMP Version 1.0

  exchange mode: Quick

  flags: ENCRYPT

  message ID: c36f0942

  length: 164

*Jan  2 00:28:11:654 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.

undo debugging all

 4.核对两边的配置，发现对端配置了PFS

 在ipsec安全提议下加上pfs dh-group2后IPSEC SA正常建立

ipsec transform-set benbu
    esp encryption-algorithm 3des-cbc
    esp authentication-algorithm md5

pfs dh-group2

PFS（Perfect Forward Secrecy，完善的前向安全性）是一种安全特性，它解决了密钥之间相互无关性的需求。由于IKE第二阶段协商需要从第一阶段协商出的密钥材料中衍生出用于IPsec SA的密钥，若攻击者能够破解IKE SA的一个密钥，则会非常容易得掌握其衍生出的任何IPsec SA的密钥。使用PFS特性后，IKE第二阶段协商过程中会增加一次DH交换，使得IKE SA的密钥和IPsec SA的密钥之间没有派生关系，即使IKE SA的其中一个密钥被破解，也不会影响它协商出的其它密钥的安全性。

发起方的PFS强度必须大于或等于响应方的PFS强度，否则协商会失败。不配置PFS特性的一端，按照对端的PFS特性要求进行IKE协商。