msr830对接威努特防火墙ipesc vpn经常中断
- 0关注
- 0收藏,612浏览
问题描述:
MSR830路由器为V5版本,对接其它厂商防火墙,使用ipsec vpn,中断时显示ike sa存在,ipsec sa存在,
配置了dpd检测及nat穿越检测
中断时告警
%Jan 14 23:40:52:050 2013 BoKe_RT IKE/4/IKE_PACKET_DROPPED: -Src addr=39.152.40.230-Dst addr=39.152.39.23-I_COOKIE=aa3e939571fae138-R_COOKIE=9ecd82e91c1d048a-Cause=No proposal is chosen-Payload=PROPOSAL; IKE packet dropped.
%Jan 14 23:40:52:081 2013 BoKe_RT IKE/4/IKE_PACKET_DROPPED: -Src addr=39.152.40.230-Dst addr=39.152.39.23-I_COOKIE=aa3e939571fae138-R_COOKIE=9ecd82e91c1d048a-Cause=No proposal is chosen-Payload=PROPOSAL; IKE packet dropped.
在对端安全设备查看ipsec sa显示esp sa未建立
- 2024-01-18提问
- 举报
-
(0)
中断后能自动恢复么?可以把配置贴出来看看
- 2024-01-18回答
- 评论(1)
- 举报
-
(0)
半个小时左右自动恢复 version 5.20, Release 2516P22 # sysname BoKe_RT # password-control enable undo password-control aging enable undo password-control history enable password-control length 6 password-control login-attempt 3 exceed lock-time 10 password-control password update interval 0 password-control login idle-time 0 password-control complexity user-name check # ike next-payload check disabled # domain default enable system # dns proxy enable # ip ttl-expires enable ip unreachables enable # dar p2p signature-file flash:/p2p_default.mtd # ndp enable # ntdp enable # cluster enable # port-security enable # password-recovery enable # acl number 3000 rule 0 permit ip source 10.140.0.0 0.0.1.255 destination 172.30.77.0 0.0.0.255 rule 1 permit ip source 10.140.0.0 0.0.1.255 destination 172.30.120.0 0.0.0.255 rule 2 permit ip source 10.140.0.0 0.0.1.255 destination 172.30.100.0 0.0.0.255 acl number 3333 description guolv rule 0 deny ip source 10.140.0.0 0.0.1.255 destination 172.30.77.0 0.0.0.255 rule 1 deny ip source 10.140.0.0 0.0.1.255 destination 172.30.120.0 0.0.0.255 rule 2 deny ip source 10.140.0.0 0.0.1.255 destination 172.30.100.0 0.0.0.255 rule 1000 permit ip # vlan 1 # vlan 100 description boxingke # vlan 200 description jingti # domain system access-limit disable state active idle-cut disable self-service-url disable # public-key peer 10.140.0.2 public-key-code begin 308201B73082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381840002818019D6176420CCF2589D1B2765D39F097F1BD7 A05C291613984AA8D03CA882DC02B3E8F351AC3CE79BD8B39FE0B2CFF58BAD9924C044F780 0C7DB133C2348D42C7D4610D5D7677C54C6DE0E4822BAF2597EC29D516AFF150DB6D0FAECF CAB003D1CE6D8BBFC3C1E10274DD81A4877F5A0E57DD50722FB269F860ECE7A3D4B64A53 public-key-code end peer-public-key end # ike proposal 1 encryption-algorithm 3des-cbc dh group2 authentication-algorithm md5 # ike dpd 1 # ike peer 1 proposal 1 pre-shared-key cipher $c$3$/WWjawzzlhivFSyLoy6j9lOioapSu2oCvOLH remote-address 39.152.40.230 local-address 39.152.39.23 nat traversal dpd 1 # ipsec transform-set 1 encapsulation-mode tunnel transform esp esp authentication-algorithm md5 esp encryption-algorithm 3des # ipsec policy boke 1 isakmp security acl 3000 ike-peer 1 remote-address 39.152.40.230 local-address 39.152.39.23 transform-set 1 # ipsec profile 1 # dhcp server ip-pool vlan100 network 10.140.0.0 mask 255.255.254.0 gateway-list 10.140.0.1 dns-list 211.137.32.178 8.8.8.8 # user-group system group-attribute allow-guest # local-user admin authorization-attribute level 3 service-type telnet service-type web local-user ygny authorization-attribute user-role guest-manager service-type ssh service-type web # cwmp undo cwmp enable # interface Cellular0/0 async mode protocol link-protocol ppp tcp mss 1024 # interface NULL0 # interface Vlan-interface100 ip address 10.140.0.1 255.255.254.0 ip address 192.168.1.1 255.255.255.0 sub # interface GigabitEthernet0/0 port link-mode route nat outbound 3333 ip address 39.152.39.23 255.255.255.0 tcp mss 1024 ipsec policy boke # interface GigabitEthernet0/1 port link-mode route tcp mss 1024 # interface GigabitEthernet0/8 port link-mode route tcp mss 1024 # interface GigabitEthernet0/9 port link-mode route tcp mss 1024 # interface GigabitEthernet0/2 port link-mode bridge port access vlan 200 # interface GigabitEthernet0/3 port link-mode bridge description xia0_luyou port access vlan 200 # interface GigabitEthernet0/4 port link-mode bridge description TO_xinyangguang port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 200 # interface GigabitEthernet0/5 port link-mode bridge # interface GigabitEthernet0/6 port link-mode bridge # interface GigabitEthernet0/7 port link-mode bridge description TO_SW port access vlan 100 # nqa entry admin 1 type icmp-echo destination ip 172.30.77.1 frequency 100 reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only source ip 10.140.0.1 # nqa entry admin 2 type icmp-echo destination ip 172.30.100.1 frequency 100 reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only source ip 10.140.0.1 # nqa entry admin 3 type icmp-echo destination ip 172.30.120.1 frequency 100 reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only source ip 10.140.0.1 # ip route-static 0.0.0.0 0.0.0.0 39.152.39.1 # dhcp server forbidden-ip 10.140.0.1 10.140.0.50 # dhcp enable # nqa schedule admin 1 start-time now lifetime forever nqa schedule admin 2 start-time now lifetime forever nqa schedule admin 3 start-time now lifetime forever # ssh server enable ssh user ygny service-type all authentication-type password ssh client authentication server 10.140.0.2 assign publickey 10.140.0.2 # ip https enable # load xml-configuration # load tr069-configuration # user-interface con 0 user-interface tty 13 user-interface vty 0 4 authentication-mode scheme #
半个小时左右自动恢复 version 5.20, Release 2516P22 # sysname BoKe_RT # password-control enable undo password-control aging enable undo password-control history enable password-control length 6 password-control login-attempt 3 exceed lock-time 10 password-control password update interval 0 password-control login idle-time 0 password-control complexity user-name check # ike next-payload check disabled # domain default enable system # dns proxy enable # ip ttl-expires enable ip unreachables enable # dar p2p signature-file flash:/p2p_default.mtd # ndp enable # ntdp enable # cluster enable # port-security enable # password-recovery enable # acl number 3000 rule 0 permit ip source 10.140.0.0 0.0.1.255 destination 172.30.77.0 0.0.0.255 rule 1 permit ip source 10.140.0.0 0.0.1.255 destination 172.30.120.0 0.0.0.255 rule 2 permit ip source 10.140.0.0 0.0.1.255 destination 172.30.100.0 0.0.0.255 acl number 3333 description guolv rule 0 deny ip source 10.140.0.0 0.0.1.255 destination 172.30.77.0 0.0.0.255 rule 1 deny ip source 10.140.0.0 0.0.1.255 destination 172.30.120.0 0.0.0.255 rule 2 deny ip source 10.140.0.0 0.0.1.255 destination 172.30.100.0 0.0.0.255 rule 1000 permit ip # vlan 1 # vlan 100 description boxingke # vlan 200 description jingti # domain system access-limit disable state active idle-cut disable self-service-url disable # public-key peer 10.140.0.2 public-key-code begin 308201B73082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD 96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038 7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1 4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD 35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123 91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1 585DA7F42519718CC9B09EEF0381840002818019D6176420CCF2589D1B2765D39F097F1BD7 A05C291613984AA8D03CA882DC02B3E8F351AC3CE79BD8B39FE0B2CFF58BAD9924C044F780 0C7DB133C2348D42C7D4610D5D7677C54C6DE0E4822BAF2597EC29D516AFF150DB6D0FAECF CAB003D1CE6D8BBFC3C1E10274DD81A4877F5A0E57DD50722FB269F860ECE7A3D4B64A53 public-key-code end peer-public-key end # ike proposal 1 encryption-algorithm 3des-cbc dh group2 authentication-algorithm md5 # ike dpd 1 # ike peer 1 proposal 1 pre-shared-key cipher $c$3$/WWjawzzlhivFSyLoy6j9lOioapSu2oCvOLH remote-address 39.152.40.230 local-address 39.152.39.23 nat traversal dpd 1 # ipsec transform-set 1 encapsulation-mode tunnel transform esp esp authentication-algorithm md5 esp encryption-algorithm 3des # ipsec policy boke 1 isakmp security acl 3000 ike-peer 1 remote-address 39.152.40.230 local-address 39.152.39.23 transform-set 1 # ipsec profile 1 # dhcp server ip-pool vlan100 network 10.140.0.0 mask 255.255.254.0 gateway-list 10.140.0.1 dns-list 211.137.32.178 8.8.8.8 # user-group system group-attribute allow-guest # local-user admin authorization-attribute level 3 service-type telnet service-type web local-user ygny authorization-attribute user-role guest-manager service-type ssh service-type web # cwmp undo cwmp enable # interface Cellular0/0 async mode protocol link-protocol ppp tcp mss 1024 # interface NULL0 # interface Vlan-interface100 ip address 10.140.0.1 255.255.254.0 ip address 192.168.1.1 255.255.255.0 sub # interface GigabitEthernet0/0 port link-mode route nat outbound 3333 ip address 39.152.39.23 255.255.255.0 tcp mss 1024 ipsec policy boke # interface GigabitEthernet0/1 port link-mode route tcp mss 1024 # interface GigabitEthernet0/8 port link-mode route tcp mss 1024 # interface GigabitEthernet0/9 port link-mode route tcp mss 1024 # interface GigabitEthernet0/2 port link-mode bridge port access vlan 200 # interface GigabitEthernet0/3 port link-mode bridge description xia0_luyou port access vlan 200 # interface GigabitEthernet0/4 port link-mode bridge description TO_xinyangguang port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan 100 200 # interface GigabitEthernet0/5 port link-mode bridge # interface GigabitEthernet0/6 port link-mode bridge # interface GigabitEthernet0/7 port link-mode bridge description TO_SW port access vlan 100 # nqa entry admin 1 type icmp-echo destination ip 172.30.77.1 frequency 100 reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only source ip 10.140.0.1 # nqa entry admin 2 type icmp-echo destination ip 172.30.100.1 frequency 100 reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only source ip 10.140.0.1 # nqa entry admin 3 type icmp-echo destination ip 172.30.120.1 frequency 100 reaction 1 checked-element probe-fail threshold-type consecutive 3 action-type trigger-only source ip 10.140.0.1 # ip route-static 0.0.0.0 0.0.0.0 39.152.39.1 # dhcp server forbidden-ip 10.140.0.1 10.140.0.50 # dhcp enable # nqa schedule admin 1 start-time now lifetime forever nqa schedule admin 2 start-time now lifetime forever nqa schedule admin 3 start-time now lifetime forever # ssh server enable ssh user ygny service-type all authentication-type password ssh client authentication server 10.140.0.2 assign publickey 10.140.0.2 # ip https enable # load xml-configuration # load tr069-configuration # user-interface con 0 user-interface tty 13 user-interface vty 0 4 authentication-mode scheme #
No proposal is chosen - Payload=PROPOSAL; IKE packet dropped.IKE包 到达时,它没有包含任何被接收方接受的提议(proposal)。在这种情况下,IKE包会被丢弃。
在IKE协商过程中,每一方都会发送一个或多个提议,这些提议描述了它们希望如何加密、认证或处理数据。如果接收方没有选择任何提议,可能是因为提议无效或不被支持,或者是因为配置错误。
解决这个问题通常需要检查和调整IKE配置,确保双方都支持相同的加密和认证算法,并且都正确配置了所有必要的参数。在某些情况下,可能需要升级或更改软件或硬件来支持更新的、更安全的协议或算法。
- 2024-01-18回答
- 评论(0)
- 举报
-
(0)
ipsec vpn中断可能有以下几种原因:
- IKE协商过程中,双方的安全参数不匹配,导致无法选择合适的提议。您可以检查双方的预共享密钥、加密算法、认证算法、DH组等是否一致12。
- IKE协商过程中,双方的身份类型或身份信息不匹配,导致无法验证对方的身份。您可以检查双方的身份类型(IP地址、域名、邮箱等)和身份信息(具体的值)是否一致34。
- IKE协商过程中,双方的网络环境不稳定,导致报文丢失或延迟。您可以检查双方的网络连通性,是否有防火墙或NAT设备阻断或修改报文5 。
您的告警信息显示,IKE协商过程中,没有选择合适的提议,这可能是由于第一种或第二种原因导致的。您可以使用 display ike proposal 命令查看本地的IKE提议配置,与对端的配置进行对比,找出不一致的地方,并进行修改。您还可以使用 display ike sa 命令查看IKE SA的状态,如果状态为MM_NO_STATE,说明IKE协商没有开始或已经失败。
5: IPSec VPN建立失败的原因分析 - 知了社区 : [IPSec VPN建立失败的原因分析 - 华为] : [display ike proposal - H3C] : [display ike sa - H3C]
- 2024-01-18回答
- 评论(0)
- 举报
-
(0)
您好,请知:
IPSEC VPN故障排查:
1、检查公网地址的连通性
2、检查ipsec acl是否配置正确(两端ACL以互为镜像的方式配置)
3、检查ike keychain/ike profile 协商参数配置是否正确(工作模式、keychain、identity、本端/对端隧道地址或隧道名称、NAT穿越功能v7自适应)
4、检查ipsec proposal(v5平台) /ipsec transform-set(v7平台)参数两端是否一致(封装模式、安全协议、验证算法、加密算法)
5、检查设备是否创建ipsec策略,并加载协商参数(acl、ike profile 、ipsec transform-set、对端隧道IP)
6、检查ipsec策略是否应用在正确的接口上
IPSEC排查命令:
1、disp ipsec policy
2、disp acl
3、dis cu conf ike-profile
4、dis cu conf ike-keychain
5、display ike proposal
6、display ipsec transform-set
7、disp ike sa (verbose)
8、disp ipsec sa
9、reset ipsec sa
10、reset ike sa
- 2024-01-19回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明