H3C F1000AK109配置IPsec IKEv2不成功
- 0关注
- 0收藏,2056浏览
问题描述:
Ihttps://www.h3c.com/en/d_202209/1686672_294551_0.htm
H3C F000AK9防火墙,参照以上链接配置的Psec tunnel interface-based IPsec for IPv4 packets (IKEv2 with preshared key authentication), GigabitEthernet1/0/3是默认上网线路,GigabitEthernet1/0/4连接内网,GigabitEthernet1/0/5上连接了另一条新申请的上网线路,通过此线路做IPSEC VPN到公司美国总部。
#
version 7.1.064, Release 9536P2415
#
...
#
interface GigabitEthernet1/0/3
port link-mode route
description outside
duplex full
speed 100
ip address 100.100.100.2 255.255.255.240
packet-filter 3000 inbound
nat outbound
#
interface GigabitEthernet1/0/4
port link-mode route
ip address 10.0.20.2 255.255.255.0
#
interface GigabitEthernet1/0/5
port link-mode route
description outside_Google
ip address 101.101.101.226 255.255.255.248
nat outbound 3001
#
...
#
interface Tunnel1 mode ipsec
ip address 10.6.106.2 255.255.255.252
source 101.101.101.226
destination 64.200.100.100
tunnel protection ipsec profile telusagcgipsec
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/4
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/3
import interface GigabitEthernet1/0/5
import interface SSLVPN-AC1
import interface Tunnel1
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
zone-pair security source Any destination Any
#
zone-pair security source Trust destination Trust
#
...
#
ip route-static 0.0.0.0 0 180.169.59.17
ip route-static 8.8.4.0 24 Tunnel1
ip route-static 8.8.8.0 24 Tunnel1
ip route-static 10.0.0.0 24 10.0.20.1
...
ip route-static 64.200.100.100 32 101.101.101.225
ip route-static 64.233.160.0 19 Tunnel1
ip route-static 66.22.228.0 23 Tunnel1
...
#
ssh server enable
#
acl advanced 3000
rule 200 permit ip
#
acl advanced 3001
rule 0 permit ip source 10.0.0.0 0.0.255.255 destination 64.200.100.100 0
rule 10 permit ip source 101.101.101.226 0 destination 64.200.100.100 0
rule 100 deny ip
#
ipsec profile telusagcgipsec isakmp
transform-set telusagcgtrans
ikev2-profile telusagcgprofile
#
ikev2 keychain keytelusagcg
peer peer1
address 64.200.100.100 255.255.255.255
identity address 64.200.100.100
pre-shared-key ciphertext $c$3$esZvMk7UaBkA0GOwcRLYQTAmihA1yp9Ywk0hYdFnAm/lLQAvWWHIEhk=
#
ikev2 profile telusagcgprofile
authentication-method local pre-share
authentication-method remote pre-share
keychain keytelusagcg
match remote identity address 64.200.100.100 255.255.255.255
#
ikev2 proposal telusagcg
encryption aes-cbc-256
dh group14
#
ikev2 policy telusagcgpolicy
proposal telusagcg
#
security-policy ip
rule 0 name Trust-Trust-0
action pass
source-zone Trust
destination-zone Trust
rule 1 name Any-Any-1
action pass
#
return
配置完成后,Tunnel 1接口状态为down。display ikev2 sa结果无显示
[H3CAFSChina]display ikev2 sa
Tunnel ID Local Remote Status
---------------------------------------------------------------------------
debug ikev2 all结果如下,报错“Failed to find policy.”
*Oct 1 13:27:18:021 2022 H3CAFSChina IKEV2/7/EVENT: [IPsec->IKE] Get an IPsec SA acquire request.
*Oct 1 13:27:18:022 2022 H3CAFSChina IKEV2/7/FSM: vrf = 0, src = 101.101.101.226, dst = 64.200.100.100/500
(Tunnel ID 32664): (I) Current State: IDLE.
*Oct 1 13:27:18:022 2022 H3CAFSChina IKEV2/7/FSM: vrf = 0, src = 101.101.101.226, dst = 64.200.100.100/500
Choose profile telusagcgprofile.
*Oct 1 13:27:18:022 2022 H3CAFSChina IKEV2/7/FSM: vrf = 0, src = 101.101.101.226, dst = 64.200.100.100/500
Getting pre-shared key from profile keychain keytelusagcg.
*Oct 1 13:27:18:022 2022 H3CAFSChina IKEV2/7/FSM: vrf = 0, src = 101.101.101.226, dst = 64.200.100.100/500
Getting pre-shared key by address 64.200.100.100.
*Oct 1 13:27:18:022 2022 H3CAFSChina IKEV2/7/FSM: vrf = 0, src = 101.101.101.226, dst = 64.200.100.100/500
Peer peer1 matched.
*Oct 1 13:27:18:022 2022 H3CAFSChina IKEV2/7/FSM: vrf = 0, src = 101.101.101.226, dst = 64.200.100.100/500
Search policy with vrf 0, local address 101.101.101.226.
*Oct 1 13:27:18:023 2022 H3CAFSChina IKEV2/7/ERROR: vrf = 0, src = 101.101.101.226, dst = 64.200.100.100/500
Failed to find policy.
*Oct 1 13:27:18:023 2022 H3CAFSChina IKEV2/7/FSM: vrf = 0, src = 101.101.101.226, dst = 64.200.100.100/500
(Tunnel ID 32664): IKE SA deleted.
对端的设备上有收到报错received NO_PROPOSAL_CHOSEN notify error
Sep 29 12:24:35 charon 8823 11[IKE] <con7|649> IKE_SA con7[649] state change: COnNECTING=> DESTROYING
Sep 29 12:24:35 charon 8823 11[CFG] <con7|649> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Sep 29 12:24:35 charon 8823 11[IKE] <con7|649> received NO_PROPOSAL_CHOSEN notify error
Sep 29 12:24:35 charon 8823 11[ENC] <con7|649> parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Sep 29 12:24:35 charon 8823 11[NET] <con7|649> received packet: from 101.101.101.226[500] to 64.200.100.100[500] (36 bytes)
Sep 29 12:24:35 charon 8823 06[NET] <con7|649> sending packet: from 64.200.100.100[500] to 101.101.101.226[500] (548 bytes)
Sep 29 12:24:35 charon 8823 06[ENC] <con7|649> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 29 12:24:35 charon 8823 06[CFG] <con7|649> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Sep 29 12:24:35 charon 8823 06[CFG] <con7|649> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
Sep 29 12:24:35 charon 8823 06[IKE] <con7|649> IKE_SA con7[649] state change: CREATED => CONNECTING
组网及组网描述:
- 2022-10-03提问
- 举报
-
(0)
请有空的技术大神们帮忙分析一下,万分感谢
配置是参照这个例子做的
https://www.h3c.com/en/d_202209/1686672_294551_0.htm#_Toc114132436
- 2022-10-03回答
- 评论(0)
- 举报
-
(0)
你这个是纯ikev2吗
不把感兴趣留拒绝,那ipsec的流量又被nat成公网地址了
你先参考这个看看,这个报错还是配置问题
https://zhiliao.h3c.com/Theme/details/45585
- 2022-10-03回答
- 评论(7)
- 举报
-
(1)
谢谢回复,我做了acl advanced 3001 rule 0 permit ip source 10.0.0.0 0.0.255.255 destination 64.200.100.100 0 rule 10 permit ip source 101.101.101.226 0 destination 64.200.100.100 0 rule 100 deny ip 另外我也试过在1/0/5接口完全去掉nat,因为这个接口只是做vpn用不需要上网,也还是没有效果
主要不知道你这个是啥模式,我之前配置的ikev2不需要起tunnel呀,除非是gre over ipsec
另外我这个配置是总部那边给的建议配置,用了Tunnel 1接口,我看你推荐的帖子里是直接在 GigabitEthernet 0/0应用IPSEC,这个有关系吗
tunnel是用隧道口封装,从原理上将,应该tunnel口也调用一下ipsec policy ,你试试能不能调用
是总部那边参照这个文档里的例子Psec tunnel interface-based IPsec for IPv4 packets (IKEv2 with preshared key authentication)给的配置 https://www.h3c.com/en/d_202209/1686672_294551_0.htm
tunnel口没有ipsec policy这个命令, 只有tunnel protection ipsec profile调用profile。,要么等上班了我和总部那边商量一下不用tunnel来配置
您好,请知:
IPSEC VPN故障排查:
1、检查公网地址的连通性
2、检查ipsec acl是否配置正确(两端ACL以互为镜像的方式配置)
3、检查ike keychain/ike profile 协商参数配置是否正确(工作模式、keychain、identity、本端/对端隧道地址或隧道名称、NAT穿越功能v7自适应)
4、检查ipsec proposal(v5平台) /ipsec transform-set(v7平台)参数两端是否一致(封装模式、安全协议、验证算法、加密算法)
5、检查设备是否创建ipsec策略,并加载协商参数(acl、ike profile 、ipsec transform-set、对端隧道IP)
6、检查ipsec策略是否应用在正确的接口上
IPSEC排查命令:
1、disp ipsec policy
2、disp acl
3、dis cu conf ike-profile
4、dis cu conf ike-keychain
5、display ike proposal
6、display ipsec transform-set
7、disp ike sa (verbose)
8、disp ipsec sa
9、reset ipsec sa
10、reset ike sa
- 2022-10-03回答
- 评论(2)
- 举报
-
(1)
谢谢您的帮忙和建议。现在用的配置是参照https://www.h3c.com/en/d_202209/1686672_294551_0.htm来做的,里面没有用到ipsec poilcy,但是报错是没有找到policy
https://www.h3c.com/en/d_202209/1686672_294551_0.htm#_Toc114132436
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明