F1000 ipsec协商失败
- 0关注
- 0收藏,500浏览
最佳答案
需要收集完整debug ike all信息看下,是不是下面的没匹配上?有pfs设置吗
ipsec transform-set shgm
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha256
- 2024-01-04回答
- 评论(3)
- 举报
-
(0)
没有设置pfs
*Jan 4 10:04:04:517 2024 HL_DC-DianXin-VPN IKE/7/EVENT: -COntext=1; vrf = 0, local = 60.169.65.123, remote = 61.132.233.194/500 IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSP. *Jan 4 10:04:04:520 2024 HL_DC-DianXin-VPN IKE/7/PACKET: -COntext=1; vrf = 0, local = 60.169.65.123, remote = 61.132.233.194/500 Process IPsec SA payload. *Jan 4 10:04:04:520 2024 HL_DC-DianXin-VPN IKE/7/PACKET: -COntext=1; vrf = 0, local = 60.169.65.123, remote = 61.132.233.194/500 Check IPsec proposal 1. *Jan 4 10:04:04:520 2024 HL_DC-DianXin-VPN IKE/7/PACKET: -COntext=1; vrf = 0, local = 60.169.65.123, remote = 61.132.233.194/500 Parse transform 1. *Jan 4 10:04:04:520 2024 HL_DC-DianXin-VPN IKE/7/PACKET: -COntext=1; vrf = 0, local = 60.169.65.123, remote = 61.132.233.194/500 Lifetime type is in seconds. *Jan 4 10:04:04:521 2024 HL_DC-DianXin-VPN IKE/7/PACKET: -COntext=1; vrf = 0, local = 60.169.65.123, remote = 61.132.233.194/500 Life duration is 3600. *Jan 4 10:04:04:521 2024 HL_DC-DianXin-VPN IKE/7/PACKET: -COntext=1; vrf = 0, local = 60.169.65.123, remote = 61.132.233.194/500 Lifetime type is in kilobytes. *Jan 4 10:04:04:521 2024 HL_DC-DianXin-VPN IKE/7/PACKET: -COntext=1; vrf = 0, local = 60.169.65.123, remote = 61.132.233.194/500 Life duration is 1843200. *Jan 4 10:04:04:521 2024 HL_DC-DianXin-VPN IKE/7/PACKET: -COntext=1; vrf = 0, local = 60.169.65.123, remote = 61.132.233.194/500 Encapsulation mode is Tunnel. *Jan 4 10:04:04:521 2024 HL_DC-DianXin-VPN IKE/7/PACKET: -COntext=1; vrf = 0, local = 60.169.65.123, remote = 61.132.233.194/500 Authentication algorithm is HMAC-SHA2-256. *Jan 4 10:04:04:521 2024 HL_DC-DianXin-VPN IKE/7/PACKET: -COntext=1; vrf = 0, local = 60.169.65.123, remote = 61.132.233.194/500 Key length is 256 bytes. *Jan 4 10:04:04:521 2024 HL_DC-DianXin-VPN IKE/7/PACKET: -COntext=1; vrf = 0, local = 60.169.65.123, remote = 61.132.233.194/500 Transform ID is AES-CBC. *Jan 4 10:04:04:521 2024 HL_DC-DianXin-VPN IKE/7/PACKET: -COntext=1; vrf = 0, local = 60.169.65.123, remote = 61.132.233.194/500 The proposal is unacceptable. *Jan 4 10:04:04:521 2024 HL_DC-DianXin-VPN IKE/7/ERROR: -COntext=1; vrf = 0, local = 60.169.65.123, remote = 61.132.233.194/500 Failed to negotiate IPsec SA.
Authentication algorithm is HMAC-SHA2-256. Key length is 256 bytes. Transform ID is AES-CBC. The proposal is unacceptable.主要是这几条吧,对端发过来的参数
#
interface GigabitEthernet1/0/1
port link-mode route
description .....dianxin 100M
ip address 60.169.65.123 255.255.255.0
ip address 60.169.65.13 255.255.255.0 sub
packet-filter ipv6 3005 inbound
nat server protocol tcp global 60.169.65.123 443 inside 10.10.252.30 443
ipsec apply policy hldc_policy
#
ipsec policy hldc_policy 1 isakmp template hldc_dx
#
ipsec policy-template hldc_dx 25162
transform-set shgm
ike-profile 251-62_peer
#
ipsec transform-set shgm
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha256
#
ike profile 251-62_peer
keychain 251-62_peer
exchange-mode aggressive
local-identity address 60.169.65.123
match remote identity fqdn USG6300E
match local address 60.169.65.123
proposal 3
#
ike keychain 251-62_peer
pre-shared-key hostname USG6300E key cipher $c$3$1tDKxFA6e7ciLgb/gaxPoBm3qcpyVQdCakLLBw==
#
ike proposal 3
encryption-algorithm aes-cbc-128
dh group14
authentication-algorithm sha256
- 2024-01-04回答
- 评论(0)
- 举报
-
(0)
都换一下安全算法试试
- 2024-01-04回答
- 评论(1)
- 举报
-
(0)
都换了一遍还是提示The proposal is unacceptable.
都换了一遍还是提示The proposal is unacceptable.
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
Authentication algorithm is HMAC-SHA2-256. Key length is 256 bytes. Transform ID is AES-CBC. The proposal is unacceptable.主要是这几条吧,对端发过来的参数