组网及说明
某局点作为总部,使用F1050作为出口设备,在出口原先已经与一个分支建立IPSEC正常使用,现在与另外一个分支也要建立一条IPSEC隧道。
问题描述
新加的IPSEC隧道已经正常建立,但是ping测试不能正常通信。
过程分析
1.查看隧道建立情况:
发现ipsec已正常建立
2.查看异常隧道收发包情况,发现只有收包,没有发包。
3.查看相关IPSEC配置:
interface GigabitEthernet1/0/4
port link-mode route
description to_10M
ip address 121.12.*.83 255.255.255.0
nat outbound 3000 address-group 0
ipsec apply policy map1
#
acl advanced 3010
description ipsec_vpn
rule 1 permit ip source 10.0.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
rule 2 permit ip source 10.0.0.0 0.0.255.255 destination 192.168.2.0 0.0.0.255
rule 3 permit ip source 10.0.0.0 0.0.255.255 destination 192.168.3.0 0.0.0.255
rule 4 permit ip source 10.1.0.0 0.0.255.255 destination 192.168.1.0 0.0.0.255
rule 5 permit ip source 10.1.0.0 0.0.255.255 destination 192.168.2.0 0.0.0.255
rule 6 permit ip source 10.1.0.0 0.0.255.255 destination 192.168.3.0 0.0.0.255
rule 7 permit ip source 10.100.64.0 0.0.63.255 destination 192.168.1.0 0.0.0.255
rule 8 permit ip source 10.100.64.0 0.0.63.255 destination 192.168.2.0 0.0.0.255
rule 9 permit ip source 10.100.64.0 0.0.63.255 destination 192.168.3.0 0.0.0.255
rule 10 permit ip source 10.0.0.0 0.0.255.255 destination 192.168.0.0 0.0.0.255
rule 11 permit ip source 10.1.0.0 0.0.255.255 destination 192.168.0.0 0.0.0.255
rule 12 permit ip source 10.100.64.0 0.0.63.255 destination 192.168.0.0 0.0.0.255
rule 13 permit ip source 10.0.0.0 0.0.255.255 destination 10.101.0.0 0.0.255.255
#
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy-template map2 1
transform-set 1
security acl 3010
ike-profile profile2
#
ipsec policy map1 10 isakmp
transform-set 1
security acl 3010
local-address 121.12.*.83
remote-address 121.35.*.10
ike-profile profile1
#
ipsec policy map1 100 isakmp template map2
#
ike identity fqdn h3c
#
ike profile profile1
keychain keychain1
local-identity address 121.12.*.83
match remote identity address 121.35.*.10 255.255.255.255
proposal 1
#
ike profile profile2
keychain keychain2
exchange-mode aggressive
local-identity address 121.12.*.83
match remote identity address 0.0.0.0 0.0.0.0
proposal 2
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike proposal 2
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain keychain1
pre-shared-key address 121.35.*.10 255.255.255.255 key cipher $c$3$9x2+cfLSXrg6G7xDgdhHcS1W+8KsH3oRnQ==
#
ike keychain keychain2
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$CfvR/OkwzOauiG5OpohU7vfoOKXZEX0wcQ==
#
security-policy ip
rule 0 name p_a_a
action pass
logging enable
counting enable
source-zone Local
source-zone Trust
source-zone DMZ
source-zone Untrust
destination-zone Local
destination-zone Trust
destination-zone DMZ
destination-zone Untrust
#
return
异常隧道使用模板建立,但看该隧道的配置是没有问题的,出口NAT也deny掉了IPSEC的相关感兴趣流,但是该局点还有另外一条隧道,查看另外一台隧道,发现另外一条隧道虽然是正常使用,但是两者使用可相同的ACL,这就会导致流量匹配异常,导致报文被丢弃。
解决方法
总部使用模板建立IPSEC时可以不使用acl,方法一:将两个分支都使用同一模板建立隧道,不使用ACL;方法二:区分开各个分支ipsec的ACL,两者之间不要有重复,避免导致误匹配的情况。
该案例暂时没有网友评论
编辑评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作