某局点用MSR3610替换其他厂商路由器,公网口为pppoe拨号口,跟Juniper防火墙建立ipsec vpn不成功
拓扑:MSR361--->>Internet---<<---juniper
参照其他厂商路由器配置修改MSR配置之后,使用野蛮模式建立ipsec vpn,目前第一阶段协商不成功。
因为是用MSR替换其他厂商路由器,而其他厂商路由器关于ipsec vpn的配置上有较大的不同,代理商根据原始配置进行翻译,所以导致ipsec vpn建立不成功的原因很大可能是配置错误导致的。
首先检查MSR上ipsec vpn相关配置参数,可以确认ike和ipsec各个参数基本上跟原始配置都是匹配的,由于Juniper那边由于没有权限无法提供完整的配置,只能提供设备脚本,所以接下去的排查方式是通过debug ike sa来定位问题。
*Jul 19 15:09:41:858 2016 RT3610_YaBuLai IKE/7/EVENT: IKE SA not found. Initiate IKE SA negotiation.
*Jul 19 15:09:41:858 2016 RT3610_YaBuLai IKE/7/EVENT: vrf = 0, src = 10.88.75.171, dst = 222.74.231.202/500
Obtained profile k1.
*Jul 19 15:09:41:858 2016 RT3610_YaBuLai IKE/7/EVENT: vrf = 0, src = 10.88.75.171, dst = 222.74.231.202/500
Initiator created an SA for peer 222.74.231.202, local port 500, remote port 500.
*Jul 19 15:09:41:858 2016 RT3610_YaBuLai IKE/7/EVENT: vrf = 0, src = 10.88.75.171, dst = 222.74.231.202/500
Set IKE SA state to IKE_P1_STATE_INIT.
*Jul 19 15:09:41:859 2016 RT3610_YaBuLai IKE/7/EVENT: IKE thread 1099175211696 processes a job.
*Jul 19 15:09:41:859 2016 RT3610_YaBuLai IKE/7/EVENT: vrf = 0, src = 10.88.75.171, dst = 222.74.231.202/500
Begin Aggressive mode exchange.
*Jul 19 15:09:41:859 2016 RT3610_YaBuLai IKE/7/EVENT: vrf = 0, src = 10.88.75.171, dst = 222.74.231.202/500
Found pre-shared key that matches address 222.74.231.202 in keychain k1.
*Jul 19 15:09:41:859 2016 RT3610_YaBuLai IKE/7/PACKET: vrf = 0, src = 10.88.75.171, dst = 222.74.231.202/500
Encryption algorithm is DES-CBC.
*Jul 19 15:09:41:859 2016 RT3610_YaBuLai IKE/7/PACKET: vrf = 0, src = 10.88.75.171, dst = 222.74.231.202/500
Hash algorithm is HMAC-MD5.
*Jul 19 15:09:41:859 2016 RT3610_YaBuLai IKE/7/PACKET: vrf = 0, src = 10.88.75.171, dst = 222.74.231.202/500
DH group 1.
*Jul 19 15:09:41:859 2016 RT3610_YaBuLai IKE/7/PACKET: vrf = 0, src = 10.88.75.171, dst = 222.74.231.202/500
Authentication method is Pre-shared key.
*Jul 19 15:09:41:859 2016 RT3610_YaBuLai IKE/7/PACKET: vrf = 0, src = 10.88.75.171, dst = 222.74.231.202/500
Lifetime type is in seconds.
*Jul 19 15:09:41:859 2016 RT3610_YaBuLai IKE/7/PACKET: vrf = 0, src = 10.88.75.171, dst = 222.74.231.202/500
Life duration is 86400.
......
Failed to find SA by SP, SP Index = 0, SP Seq = 65536.
*Jul 19 15:09:44:064 2016 RT3610_YaBuLai IPSEC/7/ERROR:
The reason of dropping packet is no available IPsec tunne
至此,发现报文被丢弃,因为没有可用的ipsec 隧道。从debug信息中看出,开始了野蛮模式的协商,加密方式是DES-CBC,摘要算法是HMAC-MD5,秘钥交换算法是DH group 1,身份认证算法是Authentication method is Pre-shared key,秘钥生产周期是 Life duration is 86400.
对比Juniper的脚本信息:
set ike gateway "yang-test" address 0.0.0.0 id "qx" Aggr outgoing-interface "ethernet1/1" preshare "nv/vuheaNP2oyQsWxlCGLmffjJn6lMAERw==" proposal "pre-g1-des-md5"
确认预共享秘钥不是复制配置的情况下,而proposal也是匹配的,再次查看原始路由器有如下配置:
crypto identification bdcom
dn "qx"
怀疑是野蛮模式使用的认证标识不一致导致的,修改MSR配置如下:
ike profile k1
keychain k1
exchange-mode aggressive
local-identity fqdn qx
match remote identity address 222.74.231.202 255.255.255.255
proposal 1
修改配置之后,reset ike sa,重新ping流量触发建立ipsec,ike sa和ipsec sa均能正常建立。
Connection-ID Remote Flag DOI
------------------------------------------------------------------
11 222.74.231.202 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING
-------------------------------
Interface: Eth-channel1/0:0
-------------------------------
-----------------------------
IPsec policy: p1
Sequence number: 1
Mode: ISAKMP
Path MTU: 1436
Tunnel:
local address: 10.77.115.68
remote address: 222.74.231.202
Flow:
sour addr: 10.62.100.0/255.255.255.0 port: 0 protocol: ip
dest addr: 172.18.112.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 2219917385 (0x84514049)
Connection ID: 55834574853
Status: Active
[Outbound ESP SAs]
SPI: 4256772141 (0xfdb9302d)
Status: Active
到目前为止,ipsec能正常建立,但是在测试网络连通性的时候,用本端内网私有地址去ping对端内网私有地址不通。
reset ike sa,reset ipsec sa,开启debug,重新触发流量,从debug信息中看出
SA也都能正常建立,ping的报文也都发出去了
*Jul 26 13:03:10:649 2016 RT3610_YaBuLai IPSEC/7/PACKET:
--- Sent IPsec packet ---
*Jul 26 13:03:10:649 2016 RT3610_YaBuLai IPSEC/7/PACKET:
Outbound IPsec processing: Src : 192.168.2.2 Dst : 172.18.112.1 SPI : 4256773008 PING报文outbound 经过ispec 处理
*Jul 26 13:03:10:649 2016 RT3610_YaBuLai IPSEC/7/PACKET:
Added IP fast forwarding entry.
*Jul 26 13:03:10:649 2016 RT3610_YaBuLai IPSEC/7/PACKET:
Outbound IPsec processing: ESP auth algorithm: MD5, ESP encp algorithm: DES-CBC.
*Jul 26 13:03:10:649 2016 RT3610_YaBuLai IPSEC/7/PACKET:
Packet will be sent to CCF for sync-encryption.
*Jul 26 13:03:10:649 2016 RT3610_YaBuLai IPSEC/7/PACKET:
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 1.
*Jul 26 13:03:10:649 2016 RT3610_YaBuLai IPSEC/7/PACKET:
Outbound IPsec processing: Sent packet back to IP forwarding.
*Jul 26 13:03:10:649 2016 RT3610_YaBuLai IPSEC/7/PACKET:
Before re-ip-output, the inside vpn(0), outside vpn(0).
*Jul 26 13:03:10:649 2016 RT3610_YaBuLai IPSEC/7/PACKET:
The inside vpn change to 0.
*Jul 26 13:03:12:849 2016 RT3610_YaBuLai IPSEC/7/EVENT:
Enter IPsec FS output process, Data length : 84
*Jul 26 13:03:12:849 2016 RT3610_YaBuLai IPSEC/7/PACKET:
Output fastforward: Pkt IfIndexOut(4), Pkt vrfIndexOut(0).
再看具体的ipsec报文统计信息:
IPsec packet statistics:
Received/sent packets: 0/5
Received/sent bytes: 0/440
Dropped packets (received/sent): 3/0
Dropped packets statistics
No available SA: 0
Wrong SA: 0
Invalid length: 0
Authentication failure: 0
Encapsulation failure: 0
Decapsulation failure: 0
Replayed packets: 0
ACL check failure: 3
MTU check failure: 0
Loopback limit exceeded: 0
Crypto speed limit exceeded: 0
至此为止,基本可以定位为报文发出去了,有可能是发出去了运营商干掉了(比如目的公网地址变了),要么就是对端设备收到之后丢弃了或者没有回复。最后建议代理商协调Juniper工程师检查防火墙配置,修改相应的域间策略之后问题解决。
1、在MSR上修改本地标识 local-identity fqdn qx
2、排查对端防火墙基本配置是否正确
与第三方厂商设备对接,建立ipsec vpn不成功,以下思路仅供参考:
1、先参考资料检查配置的是否正确、完整
参考配置手册、命令手册、典型配置、配置注意事项等
2、再收集debug ike all信息
<1>打开debug开关
<2>两端 reset ike sa、reset ipsec sa
<3>触发IPSec隧道建立
3、根据debug信息再检查配置
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作