某公司总部使用第三方设备,我司设备做为分支出口路由,使用IPSEC与总部建立隧道,发现IPSEC协商失败。
分支发起IPSEC建立隧道,发现建立隧道的第一阶段建立成功,第二阶段建立失败。
1.查看分支IPSEC配置
interface
GigabitEthernet0/2
port link-mode route
description
=====To_DianXin_WangWai========
ip address 61.190.XXX.XXX
255.255.255.0
ipsec apply policy benbu
#
acl number
3000
rule 10 permit ip source 192.168.5.0 0.0.0.255 destination
192.168.3.0 0.0.0.255
#
ipsec transform-set benbu
esp
encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy benbu 1 isakmp
transform-set benbu
security
acl 3000
remote-address 218.23.XXX.XXX
ike-profile 1
sa
duration time-based 3600
#
ipsec policy benbu local-address
GigabitEthernet0/2
#
nat static outbound 192.168.5.10
36.34.XXX.XXX #
ike nat-keepalive 300
#
ike profile 1
keychain 1
dpd interval 30 periodic
exchange-mode aggressive
match remote identity address 218.23.XXX.XXX 255.255.255.240
match local
address 61.190.XXX.XXX
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
#
ike keychain 1
pre-shared-key
address 218.23.XXX.XXX 255.255.255.240 key cipher
$c$3$nxUC3I9fKO3Mz2vXFkdnuaC88k3ukW0lUQ==
2、查看IKE SA和IPSEC SA的建立情况,,只有IKE SA建立成功,第二阶段协商失败
dis
ike sa
Connection-ID Remote Flag
DOI
------------------------------------------------------------------
7116 218.23.XXX.XXX RD IPSEC
7118
218.23.XXX.XXX RD IPSEC
3、debug查看整个IPSEC的建立过程:
*Jan 2 00:27:36:334 2011 XX ROUTER IKE/7/Event: IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.
*Jan 2 00:27:36:335 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.
*Jan 2 00:27:36:335 2011 XX ROUTER IKE/7/Packet:
I-COOKIE: 5990c5c7f54e8bfc
R-COOKIE: 5ddd007bb49a8066
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: ENCRYPT
message ID: 8982589f
length: 164
*Jan 2 00:27:36:337 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.
sa
<XX ROUTER>*Jan 2 00:27:37:192 2011 XX ROUTER IKE/7/Event: Delete tunnel, current reference count is [1]
*Jan 2 00:27:37:192 2011 XX ROUTER IKE/7/Packet: Encrypt the packet.
*Jan 2 00:27:37:193 2011 XX ROUTER IKE/7/Packet: Construct delete payload.
*Jan 2 00:27:37:193 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.
*Jan 2 00:27:37:193 2011 XX ROUTER IKE/7/Packet:
I-COOKIE: 566cba926ded562a
R-COOKIE: 16e35809727d34ba
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: fd31c63e 这时候应该要收到对端的回包,然后到IKE_P2_STATE_SA_CREATED阶段,这里没收到回包直接Delete tunnel,,然后又重新协商
length: 84
*Jan 2 00:27:37:193 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.
*Jan 2 00:27:37:195 2011 XX ROUTER IKE/7/Event: Delete tunnel, reference count is [0], tunnel [1] has been freed.
*Jan 2 00:27:37:195 2011 XX ROUTER IKE/7/Packet: Encrypt the packet.
*Jan 2 00:27:37:195 2011 XX ROUTER IKE/7/Packet: Construct delete payload.
*Jan 2 00:27:37:195 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.
*Jan 2 00:27:37:196 2011 XX ROUTER IKE/7/Packet:
I-COOKIE: 5990c5c7f54e8bfc
R-COOKIE: 5ddd007bb49a8066
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: b1e88d5d
length: 84
*Jan 2 00:27:37:196 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.
*Jan 2 00:27:40:634 2011 XX ROUTER IKE/7/Event: Received SA acquire message from IPsec.
*Jan 2 00:27:40:634 2011 XX ROUTER IKE/7/Event: Set IPsec SA state to IKE_P2_STATE_INIT.
*Jan 2 00:27:40:634 2011 XX ROUTER IKE/7/Event: IKE SA not found. Initiate IKE SA negotiation.
*Jan 2 00:27:40:635 2011 XX ROUTER IKE/7/Event: Get profile 1.
length: 164
*Jan 2 00:27:41:650 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.
*Jan 2 00:27:44:380 2011 XX ROUTER IKE/7/Packet: Received packet from 218.23.XXX.XXX source port 500 destination port 500.
*Jan 2 00:27:44:380 2011 XX ROUTER IKE/7/Packet:
I-COOKIE: 6f3ebe12d35f5e2d
R-COOKIE: 0000000000000000
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Aggressive
flags:
message ID: 0
length: 348
*Jan 2 00:27:44:381 2011 XX ROUTER IKE/7/Event: IKE thread 418149664 processes a job.
*Jan 2 00:27:44:381 2011 XX ROUTER IKE/7/Packet: Begin a new phase 1 negotiation as responder.
*Jan 2 00:27:44:381 2011 XX ROUTER IKE/7/Event: Responder created an SA for peer 218.23.XXX.XXX, local port 500, remote port 500.
*Jan 2 00:27:44:381 2011 XX ROUTER IKE/7/Event: Set IKE SA state to IKE_P1_STATE_INIT.
Debug中最后一次又到这个阶段了,这边一直在发包,但是没有收到对端的回包
*Jan 2 00:28:05:729 2011 XX ROUTER IKE/7/Event: IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.
*Jan 2 00:28:05:730 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.
*Jan 2 00:28:05:730 2011 XX ROUTER IKE/7/Packet:
I-COOKIE: 48b01d257d003ff3
R-COOKIE: cf6a63e5527e3afa
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: ENCRYPT
message ID: c36f0942
length: 164
*Jan 2 00:28:05:731 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.
*Jan 2 00:28:08:650 2011 XX ROUTER IKE/7/Packet: Retransmit phase 2 packet.
*Jan 2 00:28:08:650 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.
*Jan 2 00:28:08:650 2011 XX ROUTER IKE/7/Packet:
I-COOKIE: 566cba926ded562a
R-COOKIE: 16e35809727d34ba
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: ENCRYPT
message ID: 2ddebef5
length: 164
*Jan 2 00:28:08:650 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.
*Jan 2 00:28:09:650 2011 XX ROUTER IKE/7/Packet: Retransmit phase 2 packet.
*Jan 2 00:28:09:650 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.
*Jan 2 00:28:09:650 2011 XX ROUTER IKE/7/Packet:
I-COOKIE: 5990c5c7f54e8bfc
R-COOKIE: 5ddd007bb49a8066
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: ENCRYPT
message ID: 8982589f
length: 164
*Jan 2 00:28:09:650 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.
*Jan 2 00:28:10:650 2011 XX ROUTER IKE/7/Packet: Retransmit phase 2 packet.
*Jan 2 00:28:10:650 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.
*Jan 2 00:28:10:650 2011 XX ROUTER IKE/7/Packet:
I-COOKIE: a4b4e08ad48dd81d
R-COOKIE: 2c14d775f8d60efa
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: ENCRYPT
message ID: 96693d8c
length: 164
*Jan 2 00:28:10:650 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.
*Jan 2 00:28:11:652 2011 XX ROUTER IKE/7/Event: Sending DPD packet of type R_U_THERE with sequence number 25030.
*Jan 2 00:28:11:652 2011 XX ROUTER IKE/7/Packet: Encrypt the packet.
*Jan 2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Construct notification packet: R_U_THERE.
*Jan 2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.
*Jan 2 00:28:11:653 2011 XX ROUTER IKE/7/Packet:
I-COOKIE: a4b4e08ad48dd81d
R-COOKIE: 2c14d775f8d60efa
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: 66c42362
length: 84
*Jan 2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.
*Jan 2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Retransmit phase 2 packet.
*Jan 2 00:28:11:653 2011 XX ROUTER IKE/7/Packet: Sending packet to 218.23.XXX.XXX remote port 4500, local port 4500.
*Jan 2 00:28:11:653 2011 XX ROUTER IKE/7/Packet:
I-COOKIE: 48b01d257d003ff3
R-COOKIE: cf6a63e5527e3afa
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: ENCRYPT
message ID: c36f0942
length: 164
*Jan 2 00:28:11:654 2011 XX ROUTER IKE/7/Packet: Sending an IPv4 packet.
undo debugging all
4.核对两边的配置,发现对端配置了PFS
在ipsec安全提议下加上pfs dh-group2后IPSEC SA正常建立
ipsec transform-set benbu
esp encryption-algorithm 3des-cbc
esp
authentication-algorithm md5
pfs dh-group2
PFS(Perfect Forward Secrecy,完善的前向安全性)是一种安全特性,它解决了密钥之间相互无关性的需求。由于IKE第二阶段协商需要从第一阶段协商出的密钥材料中衍生出用于IPsec SA的密钥,若攻击者能够破解IKE SA的一个密钥,则会非常容易得掌握其衍生出的任何IPsec SA的密钥。使用PFS特性后,IKE第二阶段协商过程中会增加一次DH交换,使得IKE SA的密钥和IPsec SA的密钥之间没有派生关系,即使IKE SA的其中一个密钥被破解,也不会影响它协商出的其它密钥的安全性。
发起方的PFS强度必须大于或等于响应方的PFS强度,否则协商会失败。不配置PFS特性的一端,按照对端的PFS特性要求进行IKE协商。
你好,这个案例跟我的情况比较相似,我们的总部用的F100,分支机构MSR830,分支发起IPSEC建立隧道,互ping内网不成功,查看日志,防火墙端只有收到包,没有发送包。不知道是不是也是你说的这种情况
(0)
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作