不涉及。
MSR830和天融信对接IPsec,第一阶段无法建立。
路由器配置:
#
ike proposal 2
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike dpd tozb
interval-time 30
time-out 60
#
ike peer tozb
exchange-mode aggressive
proposal 2
pre-shared-key cipher $c$3$zIySpTe7nDA9jO+UDPeG6uJ60NOUuUZAgw==
id-type name
remote-name @zb1
remote-address 221.212.156.85
local-address 221.212.156.86
local-name @cs1
nat traversal
dpd tozb
#
ipsec transform-set tozb
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
#
ipsec policy 1048576 2 isakmp
connection-name tozb
security acl 3000
ike-peer tozb
transform-set tozb
sa duration traffic-based 1843200
sa duration time-based 3600
#
天融信设备配置:
从配置看两侧参数一致,我们debugging ike all分析存在以下一条报错:
*Jan 1 00:52:07:859 2013 HRB-TIEMA IKE/7/DEBUG: find IKE peer by ID.
IfIndex:0x00100000, ID:zb1.
local addr:221.212.156.86, remote addr:221.212.156.85.
*Jan 1 00:52:07:959 2013 HRB-TIEMA IKE/7/DEBUG: P1 handle ID: Failed to find IKE peer by ID.
*Jan 1 00:52:08:009 2013 HRB-TIEMA IKE/7/DEBUG: exchange state machine: Failed to receive message.
在MSR830上未找到ID为zb1的IKE peer。我们由此推测天融信设备上配置本地和对端标识时需要带@,而在我们设备IKE peer配置中不需要带@。
将ike peer配置中的remote-name、 local-name配置为zb1、cs1解决。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作