分部26-00 V5版本 对接总部天融信的设备
- 0关注
- 0收藏,627浏览
问题描述:
总部与分布二阶段起不来,怎么看debugging信息有问题吗,debugging信息在哪里能翻译,能看具体什么意思。采用主模式,3des,MD5,dh1
组网及组网描述:
*Dec 22 15:28:43:241 2023 H3C IPSEC/7/DBG:
ipsec nat bypass is not enable.
*Dec 22 15:28:43:241 2023 H3C IPSEC/7/DBG:
ipsec nat bypass is not enable.
*Dec 22 15:28:43:241 2023 H3C IPSEC/7/DBG:
ipsec nat bypass is not enable.
*Dec 22 15:28:43:241 2023 H3C IPSEC/7/DBG:
ipsec nat bypass is not enable.
*Dec 22 15:28:43:241 2023 H3C IPSEC/7/DBG:
ipsec nat bypass is not enable.
*Dec 22 15:28:43:341 2023 H3C IKE/7/DEBUG: received message:
*Dec 22 15:28:43:392 2023 H3C IKE/7/DEBUG: ICOOKIE: 0x1d8da5014431721e
*Dec 22 15:28:43:392 2023 H3C IKE/7/DEBUG: RCOOKIE: 0x0000000000000000
*Dec 22 15:28:43:492 2023 H3C IKE/7/DEBUG: NEXT_PAYLOAD: SA
*Dec 22 15:28:43:592 2023 H3C IKE/7/DEBUG: VERSION: 16
*Dec 22 15:28:43:642 2023 H3C IKE/7/DEBUG: EXCH_TYPE: MAIN
*Dec 22 15:28:43:743 2023 H3C IKE/7/DEBUG: FLAGS: [ ]
*Dec 22 15:28:43:843 2023 H3C IKE/7/DEBUG: MESSAGE_ID: 0x00000000
*Dec 22 15:28:43:893 2023 H3C IKE/7/DEBUG: LENGTH: 284
*Dec 22 15:28:43:993 2023 H3C IKE/7/DEBUG: exchange lookup all list from COOKIE: iCOOKIE 1d8da5014431721e
*Dec 22 15:28:44:044 2023 H3C IKE/7/DEBUG: parse payloads: payload SA
*Dec 22 15:28:44:144 2023 H3C IKE/7/DEBUG: parse payloads: payload VENDOR
*Dec 22 15:28:44:194 2023 H3C IKE/7/DEBUG: parse payloads: payload VENDOR
*Dec 22 15:28:44:244 2023 H3C IKE/7/DEBUG: parse payloads: payload VENDOR
%Dec 22 15:28:44:344 2023 H3C IKE/4/IKE_PACKET_DROPPED: -Src addr=*.*.*.*-Dst addr=*.*.*.*-I_COOKIE=d9b4c92fa1613e71-R_COOKIE=0000000000000000-Cause=No proposal is chosen-Payload=PROPOSAL; IKE packet dropped.
*Dec 22 15:28:44:395 2023 H3C IKE/7/DEBUG: parse payloads: payload VENDOR
*Dec 22 15:28:44:445 2023 H3C IKE/7/DEBUG: parse payloads: payload VENDOR
*Dec 22 15:28:44:495 2023 H3C IKE/7/DEBUG: parse payloads: payload VENDOR
*Dec 22 15:28:44:646 2023 H3C IKE/7/DEBUG: validate payload SA
*Dec 22 15:28:44:696 2023 H3C IKE/7/DEBUG: DOI: 1
*Dec 22 15:28:44:796 2023 H3C IKE/7/DEBUG: unsupported Vendor ID(HEX):
*Dec 22 15:28:44:846 2023 H3C IKE/7/DEBUG: 4f454578 616c467b 5f6f606d 0d000014
*Dec 22 15:28:44:946 2023 H3C IKE/7/DEBUG: receive DPD Protocol Vendor ID
*Dec 22 15:28:45:147 2023 H3C IKE/7/DEBUG: receive rfc3947 Protocol Vendor ID
*Dec 22 15:28:45:247 2023 H3C IKE/7/DEBUG: receive draft-ietf-ipsec-nat-t-ike-03 Protocol Vendor ID
*Dec 22 15:28:45:297 2023 H3C IKE/7/DEBUG: unsupported Vendor ID(HEX):
*Dec 22 15:28:45:397 2023 H3C IKE/7/DEBUG: cd604643 35df21f8 7cfdb2fc 68b6a448
*Dec 22 15:28:45:447 2023 H3C IKE/7/DEBUG: receive draft-ietf-ipsec-nat-t-ike-01 Protocol Vendor ID
*Dec 22 15:28:45:498 2023 H3C IKE/7/DEBUG: Find IKE peer by address.
IfIndex:0x00100005.
local addr:*.*.*.*, remote addr:*.*.*.*.
*Dec 22 15:28:45:598 2023 H3C IKE/7/DEBUG: P1 responder exchange setup Main mode: IKE peer name:1
*Dec 22 15:28:45:698 2023 H3C IKE/7/DEBUG: P1 responder exchange setup: Connection name is *.*.*.*,*.*.*.*,500,,0,0,0
*Dec 22 15:28:45:748 2023 H3C IKE/7/DEBUG: exchange setup(R): 9ee2c00
*Dec 22 15:28:45:849 2023 H3C IKE/7/DEBUG: parse payloads: payload PROPOSAL
*Dec 22 15:28:45:949 2023 H3C IKE/7/DEBUG: parse payloads: payload TRANSFORM
*Dec 22 15:28:46:049 2023 H3C IKE/7/DEBUG: parse payloads: payload TRANSFORM
*Dec 22 15:28:46:099 2023 H3C IKE/7/DEBUG: parse payloads: payload TRANSFORM
*Dec 22 15:28:46:250 2023 H3C IKE/7/DEBUG: validate payload PROPOSAL
*Dec 22 15:28:46:400 2023 H3C IKE/7/DEBUG: NO: 0
*Dec 22 15:28:46:500 2023 H3C IKE/7/DEBUG: PROTO: ISAKMP
*Dec 22 15:28:46:600 2023 H3C IKE/7/DEBUG: SPI_SZ: 0
*Dec 22 15:28:46:701 2023 H3C IKE/7/DEBUG: NTRANSFORMS: 3
*Dec 22 15:28:46:751 2023 H3C IKE/7/DEBUG: validate payload TRANSFORM
*Dec 22 15:28:46:851 2023 H3C IKE/7/DEBUG: NO: 0
*Dec 22 15:28:46:951 2023 H3C IKE/7/DEBUG: ID: 1
*Dec 22 15:28:47:001 2023 H3C IKE/7/DEBUG: Transform 0's attributes
*Dec 22 15:28:47:102 2023 H3C IKE/7/DEBUG: Attribute LIFE_TYPE : SECONDS
*Dec 22 15:28:47:152 2023 H3C IKE/7/DEBUG: Attribute LIFE_DURATION : 86400
*Dec 22 15:28:47:202 2023 H3C IKE/7/DEBUG: Attribute ENCRYPTION_ALGORITHM : AES_CBC
*Dec 22 15:28:47:252 2023 H3C IKE/7/DEBUG: Attribute HASH_ALGORITHM : MD5
*Dec 22 15:28:47:352 2023 H3C IKE/7/DEBUG: Attribute AUTHENTICATION_METHOD : PRE_SHARED
*Dec 22 15:28:47:403 2023 H3C IKE/7/DEBUG: Attribute GROUP_DESCRIPTION : MODP_1536
*Dec 22 15:28:47:453 2023 H3C IKE/7/DEBUG: Attribute KEY_LENGTH : AES_CBC_128
*Dec 22 15:28:47:503 2023 H3C IKE/7/DEBUG: validate payload TRANSFORM
*Dec 22 15:28:47:603 2023 H3C IKE/7/DEBUG: NO: 1
*Dec 22 15:28:47:654 2023 H3C IKE/7/DEBUG: ID: 1o
*Dec 22 15:28:47:854 2023 H3C IKE/7/DEBUG: Attribute LIFE_TYPE : SECONDS
*Dec 22 15:28:47:904 2023 H3C IKE/7/DEBUG: Attribute LIFE_DURATION : 86400
*Dec 22 15:28:48:006 2023 H3C IKE/7/DEBUG: Attribute ENCRYPTION_ALGORITHM : AES_CBC
*Dec 22 15:28:48:106 2023 H3C IKE/7/DEBUG: Attribute HASH_ALGORITHM : MD5
*Dec 22 15:28:48:207 2023 H3C IKE/7/DEBUG: Attribute AUTHENTICATION_METHOD : PRE_SHARED
*Dec 22 15:28:48:257 2023 H3C IKE/7/DEBUG: Attribute GROUP_DESCRIPTION : MODP_1024
*Dec 22 15:28:48:307 2023 H3C IKE/7/DEBUG: Attribute KEY_LENGTH : AES_CBC_128
*Dec 22 15:28:48:357 2023 H3C IKE/7/DEBUG: validate payload TRANSFORM
*Dec 22 15:28:48:357 2023 H3C IKE/7/DEBUG: NO: 2
*Dec 22 15:28:48:458 2023 H3C IKE/7/DEBUG: ID: 1
*Dec 22 15:28:48:508 2023 H3C IKE/7/DEBUG: Transform 2's attributes
*Dec 22 15:28:48:608 2023 H3C IKE/7/DEBUG: Attribute LIFE_TYPE : SECONDS
*Dec 22 15:28:48:708 2023 H3C IKE/7/DEBUG: Attribute LIFE_DURATION : 86400
*Dec 22 15:28:48:809 2023 H3C IKE/7/DEBUG: Attribute ENCRYPTION_ALGORITHM : AES_CBC
*Dec 22 15:28:48:909 2023 H3C IKE/7/DEBUG: Attribute HASH_ALGORITHM : MD5
*Dec 22 15:28:48:959 2023 H3C IKE/7/DEBUG: Attribute AUTHENTICATION_METHOD : PRE_SHARED
*Dec 22 15:28:49:059 2023 H3C IKE/7/DEBUG: Attribute GROUP_DESCRIPTION : MODP_768
*Dec 22 15:28:49:110 2023 H3C IKE/7/DEBUG: Attribute KEY_LENGTH : AES_CBC_128
*Dec 22 15:28:49:160 2023 H3C IKE/7/DEBUG: validate payload VENDOR
*Dec 22 15:28:49:210 2023 H3C IKE/7/DEBUG: vendor ID seen
*Dec 22 15:28:49:310 2023 H3C IKE/7/DEBUG: validate payload VENDOR
*Dec 22 15:28:49:411 2023 H3C IKE/7/DEBUG: vendor ID seen
*Dec 22 15:28:49:461 2023 H3C IKE/7/DEBUG: validate payload VENDOR
*Dec 22 15:28:49:561 2023 H3C IKE/7/DEBUG: vendor ID seen
*Dec 22 15:28:49:662 2023 H3C IKE/7/DEBUG: validate payload VENDOR
*Dec 22 15:28:49:762 2023 H3C IKE/7/DEBUG: vendor ID seen
*Dec 22 15:28:49:813 2023 H3C IKE/7/DEBUG: validate payload VENDOR
*Dec 22 15:28:49:914 2023 H3C IKE/7/DEBUG: vendor ID seen
*Dec 22 15:28:49:964 2023 H3C IKE/7/DEBUG: validate payload VENDOR
*Dec 22 15:28:50:014 2023 H3C IKE/7/DEBUG: vendor ID seen
*Dec 22 15:28:50:115 2023 H3C IKE/7/DEBUG: exchange check: checking for required SA
*Dec 22 15:28:50:165 2023 H3C IKE/7/DEBUG: negotiate sa: transform 0 proto 1 proposal 0 compatible
*Dec 22 15:28:50:215 2023 H3C IKE/7/DEBUG: negotiate sa: proposal 0 failed
*Dec 22 15:28:50:315 2023 H3C IKE/7/DEBUG: negotiate sa: transform 1 proto 1 proposal 0 compatible
*Dec 22 15:28:50:366 2023 H3C IKE/7/DEBUG: negotiate sa: proposal 0 failed
*Dec 22 15:28:50:416 2023 H3C IKE/7/DEBUG: negotiate sa: transform 2 proto 1 proposal 0 compatible
*Dec 22 15:28:50:516 2023 H3C IKE/7/DEBUG: negotiate sa: proposal 0 failed
*Dec 22 15:28:50:566 2023 H3C IKE/7/DEBUG: dropped message from *.*.*.* due to notification type NO_PROPOSAL_CHOSEN
*Dec 22 15:28:50:616 2023 H3C IKE/7/DEBUG: exchange setup(I): 9ee4140
*Dec 22 15:28:50:717 2023 H3C IKE/7/DEBUG: add payload to message: NOTIFY
*Dec 22 15:28:50:817 2023 H3C IKE/7/DEBUG: DOI: IPSEC
*Dec 22 15:28:50:918 2023 H3C IKE/7/DEBUG: PROTO: ISAKMP
*Dec 22 15:28:51:018 2023 H3C IKE/7/DEBUG: SPI_SZ: 0
*Dec 22 15:28:51:068 2023 H3C IKE/7/DEBUG: MSG_TYPE: NO_PROPOSAL_CHOSEN
*Dec 22 15:28:51:169 2023 H3C IKE/7/DEBUG: exchange check: checking for required INFO
*Dec 22 15:28:51:269 2023 H3C IKE/7/DEBUG: send message:
*Dec 22 15:28:51:419 2023 H3C IKE/7/DEBUG: ICOOKIE: 0x1d8da5014431721e
*Dec 22 15:28:51:469 2023 H3C IKE/7/DEBUG: RCOOKIE: 0x0000000000000000
*Dec 22 15:28:51:569 2023 H3C IKE/7/DEBUG: NEXT_PAYLOAD: NOTIFY
*Dec 22 15:28:51:620 2023 H3C IKE/7/DEBUG: VERSION: 16
*Dec 22 15:28:51:670 2023 H3C IKE/7/DEBUG: EXCH_TYPE: INFO
*Dec 22 15:28:51:720 2023 H3C IKE/7/DEBUG: FLAGS: [ ]
*Dec 22 15:28:51:820 2023 H3C IKE/7/DEBUG: MESSAGE_ID: 0x00000000
*Dec 22 15:28:51:921 2023 H3C IKE/7/DEBUG: LENGTH: 44
*Dec 22 15:28:51:971 2023 H3C IKE/7/DEBUG: exchange state machine(I): finished step 0, advancing...
*Dec 22 15:28:52:021 2023 H3C IKE/7/DEBUG: exchange state machine: Failed to handle received message.
*Dec 22 15:28:52:121 2023 H3C IKE/7/DEBUG: exchange release: freeing exchange 9ee2c00
*Dec 22 15:28:52:171 2023 H3C IPSEC/7/DBG:
%Dec 22 15:28:53:877 2023 H3C IKE/4/IKE_PACKET_DROPPED: -Src addr=*.*.*.*-Dst addr=*.*.*.*-I_COOKIE=d9b4c92fa1613e71-R_COOKIE=0000000000000000-Cause=No proposal is chosen-Payload=PROPOSAL; IKE packet dropped.
- 2023-12-23提问
- 举报
-
(0)
最佳答案
根据您提供的日志,我发现以下几个可能的原因:
- 您的 IPsec NAT 穿越功能没有启用。您需要在 IPsec 配置中设置 enable-nat-traversal 为 yes,或者使用 NAT 穿越功能 v7 自适应123。
- 您的 IPsec ACL 配置不正确。您需要确保两端的 ACL 以互为镜像的方式配置,以允许对等体之间的流量通过123。
- 您的 IKE 协商参数配置不正确。您需要检查工作模式、keychain、identity、本端/对端隧道地址或隧道名称等是否匹配123。
- 您的公网地址连通性不佳。您需要检查您的网络设备和路由器是否能够正常访问互联网4。
如果以上方法都不能解决您的问题,您可以尝试使用一些调试命令来排除 IPsec 问题,例如 show crypto isakmp sa, show crypto ipsec sa, debug crypto isakmp, debug crypto ipsec 等5。这些命令可以帮助您查看更多关于 IKE SA 的信息,例如 SPI, transform, key lifetime 等。
- 2023-12-23回答
- 评论(1)
- 举报
-
(0)
我现在已经开nat穿越了,而且acl没有问题,现在我分部只有往总部这条专线写了一条明细路由,这个接口没有默认路由,接口没有nat配置
你nat 是怎么配置的?
ipsec nat bypass is not enable. 这个提示应该是nat 配置有问题,导致的
- 2023-12-23回答
- 评论(1)
- 举报
-
(0)
出接口没做nat啊
出接口没做nat啊
您好,请知:
IPSEC VPN故障排查:
1、检查公网地址的连通性
2、检查ipsec acl是否配置正确(两端ACL以互为镜像的方式配置)
3、检查ike keychain/ike profile 协商参数配置是否正确(工作模式、keychain、identity、本端/对端隧道地址或隧道名称、NAT穿越功能v7自适应)
4、检查ipsec proposal(v5平台) /ipsec transform-set(v7平台)参数两端是否一致(封装模式、安全协议、验证算法、加密算法)
5、检查设备是否创建ipsec策略,并加载协商参数(acl、ike profile 、ipsec transform-set、对端隧道IP)
6、检查ipsec策略是否应用在正确的接口上
IPSEC排查命令:
1、disp ipsec policy
2、disp acl
3、dis cu conf ike-profile
4、dis cu conf ike-keychain
5、display ike proposal
6、display ipsec transform-set
7、disp ike sa (verbose)
8、disp ipsec sa
9、reset ipsec sa
10、reset ike sa
- 2023-12-23回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
我现在已经开nat穿越了,而且acl没有问题,现在我分部只有往总部这条专线写了一条明细路由,这个接口没有默认路由,接口没有nat配置