问题描述:
通过debug ike all和debug ipsec all 显示以下信息。
*Apr 13 12:01:37:707 2021 g340 IPSEC/7/EVENT:
Can't find block-flow node.
*Apr 13 12:01:37:707 2021 g340 IPSEC/7/PACKET:
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Apr 13 12:01:37:707 2021 g340 IPSEC/7/ERROR:
The reason of dropping packet is no available IPsec tunnel.
*Apr 13 12:01:37:707 2021 g340 IPSEC/7/EVENT:
Sent SA-Acquire message : SP ID = 0
*Apr 13 12:01:37:707 2021 g340 IPSEC/7/EVENT:
Received negotiate SA message from IPsec kernel.
*Apr 13 12:01:37:708 2021 g340 IPSEC/7/EVENT:
Got SA time-based soft lifetime settings when filling Sp data.
Configured soft lifetime buffer : 0 seconds.
Configured global soft lifetime buffer : 0 seconds.
*Apr 13 12:01:37:708 2021 g340 IKE/7/EVENT: Received message from ipsec, message type is 0.
*Apr 13 12:01:37:708 2021 g340 IKE/7/EVENT: Received SA acquire message from IPsec.
*Apr 13 12:01:37:708 2021 g340 IKE/7/EVENT: IKE thread 1955915040 processes a job.
*Apr 13 12:01:37:709 2021 g340 IKE/7/EVENT: Received SA acquire message from IPsec.
*Apr 13 12:01:37:709 2021 g340 IKE/7/EVENT: vrf = 0, local = 171.88.97.149, remote = 101.207.118.189/500
Set IPsec SA state to IKE_P2_STATE_INIT.
*Apr 13 12:01:37:709 2021 g340 IKE/7/EVENT: IKE SA not found. Initiate IKE SA negotiation.
*Apr 13 12:01:37:709 2021 g340 IKE/7/EVENT: vrf = 0, local = 171.88.97.149, remote = 101.207.118.189/500
Obtained profile 1.
*Apr 13 12:01:37:709 2021 g340 IKE/7/EVENT: vrf = 0, local = 171.88.97.149, remote = 101.207.118.189/500
Initiator created an SA for peer 101.207.118.189, local port 500, remote port 500.
*Apr 13 12:01:37:709 2021 g340 IKE/7/EVENT: vrf = 0, local = 171.88.97.149, remote = 101.207.118.189/500
Set IKE SA state to IKE_P1_STATE_INIT.
*Apr 13 12:01:37:710 2021 g340 IKE/7/EVENT: IKE thread 1955915040 processes a job.
*Apr 13 12:01:37:710 2021 g340 IKE/7/EVENT: vrf = 0, local = 171.88.97.149, remote = 101.207.118.189/500
Begin Aggressive mode exchange.
*Apr 13 12:01:37:710 2021 g340 IKE/7/EVENT: vrf = 0, local = 171.88.97.149, remote = 101.207.118.189/500
Pre-shared key matching address 101.207.118.189 not found.
*Apr 13 12:01:37:710 2021 g340 IKE/7/ERROR: vrf = 0, local = 171.88.97.149, remote = 101.207.118.189/500
No available proposal.
*Apr 13 12:01:37:710 2021 g340 IKE/7/ERROR: vrf = 0, local = 171.88.97.149, remote = 101.207.118.189/500
Failed to negotiate IKE SA.
*Apr 13 12:01:37:714 2021 g340 IPSEC/7/EVENT:
Sent delete SA message to all nodes, message type is 0x16.
*Apr 13 12:01:37:715 2021 g340 IPSEC/7/EVENT:
The SA doesn't exist in kernel.
能帮我看看是什么问题吗?
组网及组网描述:
如上
- 2021-04-13提问
- 举报
-
(0)
最佳答案
您好,请知:
IPSEC VPN故障排查:
1、检查公网地址的连通性
2、检查ipsec acl是否配置正确(两端ACL以互为镜像的方式配置)
3、检查ike keychain/ike profile 协商参数配置是否正确(工作模式、keychain、identity、本端/对端隧道地址或隧道名称、NAT穿越功能v7自适应)
4、检查ipsec proposal(v5平台) /ipsec transform-set(v7平台)参数两端是否一致(封装模式、安全协议、验证算法、加密算法)
5、检查设备是否创建ipsec策略,并加载协商参数(acl、ike profile 、ipsec transform-set、对端隧道IP)
6、检查ipsec策略是否应用在正确的接口上
IPSEC排查命令:
1、disp ipsec policy
2、disp acl
3、dis cu conf ike-profile
4、dis cu conf ike-keychain
5、display ike proposal
6、display ipsec transform-set
7、disp ike sa (verbose)
8、disp ipsec sa
9、reset ipsec sa
10、reset ike sa
- 2021-04-13回答
- 评论(0)
- 举报
-
(0)
协商没有成功,检查下配置吧。
- 2021-04-13回答
- 评论(1)
- 举报
-
(0)
能找出什么原因没协商起来吗?
能找出什么原因没协商起来吗?
您好,拨号的宽带,建议使用野蛮模式。建议参考如下官网配置指导及配置脚本:
排查思路和4楼是一样的,V7命令有些不一样参考官网配置指导。
https://www.h3c.com/cn/d_201912/1249155_30005_0.htm#_Toc25745743
version 5.20, Release 2507
#
sysname L_SHANXI-MSR002
#
ike local-name fenbu
#
dar p2p signature-file flash:/p2p_default.mtd
#
acl number 3000
rule 0 permit ip source 10.196.109.XX 0.0.0.7 destination 10.0.0.0 0.255.255.255
#
ike dpd 1
#
ike peer chanxian
exchange-mode aggressive
pre-shared-key cipher $c$3$IdhYQRKrEooV9DEdb91TeXSay71o3Dtp/etAqtg=
id-type name
remote-name zongbu
remote-address ***.*** dynamic
nat traversal
dpd 1
#
ipsec transform-set 1
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
#
ipsec policy fenbu 1 isakmp
security acl 3000
ike-peer chanxian
transform-set 1
#
local-user pinxxn
password cipher $c$3$SJl5kERAU2CQy89wgX90Qyjsv0uIsPcPWt1/l/Q=
authorization-attribute level 3
service-type ssh telnet terminal
local-user pinganmsr
password cipher $c$3$z12KNEm/Pvi52iEZIUEc+vfj2sb8rqYu
service-type telnet
#
interface Dialer0
link-protocol ppp
ppp chap user 35490950055
ppp chap password cipher $c$3$fD7QuBlsTg6Ac22T+OXsfYsF9iANzJvVfg==
ppp pap local-user 35490950055 password cipher $c$3$TihlPhQnqzwkdj+wJKb4EFgGpjUFpCYAEQ==
ppp ipcp dns admit-any
ppp ipcp dns request
mtu 1450
ip address ppp-negotiate
dialer user pppoe
dialer-group 1
dialer bundle 1
ipsec policy fenbu
#
interface Vlan-interface1
ip address 10.196.109.81 255.255.255.248
tcp mss 1024
#
interface GigabitEthernet0/0
port link-mode route
pppoe-client dial-bundle-number 1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer0
#
ssh server enable
#
dialer-rule 1 ip permit
#
V7版本的:
- 2021-04-13回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明