问题描述:
做IPV6的ADVPN实验,Spoke查看VAM client Current state为DUMB,debug提示 VAM服务器和ADVPN源接口的地址族不同。我查看了配置没有看出来有那里不对。有没有高手帮看下。
debug报错 如下:
<Spoke1>*May 10 11:43:21:843 2024 Spoke1 VAMC/7/EVENT: 4001::2[0]: FSM status changed from DUMB to OFFLINE.
*May 10 11:43:21:843 2024 Spoke1 VAMC/7/ERROR: 4001::2[0]: The address family of VAM server and ADVPN source interface are different.
*May 10 11:43:21:843 2024 Spoke1 VAMC/7/EVENT: 4001::2[0]: Deleted all hubs.
*May 10 11:43:21:843 2024 Spoke1 VAMC/7/EVENT: 4001::2[0]: FSM status changed from OFFLINE to DUMB.
*May 10 11:43:21:843 2024 Spoke1 VAMC/7/EVENT: 4001::2[0]: The dumb interval was 120 seconds.
设备配置见附件
HUB:
sysname Hub
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
ospfv3 1
area 0.0.0.0
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 1.0.0.1 255.255.255.252
ipv6 address 1::1/126
#
#
interface Tunnel0 mode advpn udp
ip address 192.168.0.1 255.255.255.0
ospfv3 1 area 0.0.0.0
source GigabitEthernet0/0
ipv6 address 4001::1/64
tunnel protection ipsec profile advpn
vam client hub
vam ipv6 client hubv6
#
interface Tunnel2 mode advpn udp
source GigabitEthernet0/0
#
ip route-static 0.0.0.0 0 1.0.0.2
ipv6 route-static :: 0 1::2
#
domain advpn
authentication advpn local
#
domain system
#
domain default enable advpn
#
r
#
local-user hub class network
password cipher $c$3$UHghD0CZwNrj77o1UfiaqWsfZYccWg==
service-type advpn
authorization-attribute user-role network-operator
#
local-user hubv6 class network
password cipher $c$3$3WVWFeJJNeS/7uliPfrwrIcpd7oGPm3w
service-type advpn
authorization-attribute user-role network-operator
#
local-user spoke1 class network
password cipher $c$3$GRR1dyAcGwKAQgz6ttgKhDkaToIRJFJWHQ==
service-type advpn
authorization-attribute user-role network-operator
#
local-user spoke1v6 class network
password cipher $c$3$eY6SKfj6M3dkqMjY0AME4BuOQi55ALnhcqKT
service-type advpn
authorization-attribute user-role network-operator
#
ipsec transform-set advpn
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile advpn isakmp
transform-set advpn
ike-profile advpn
#
ike profile advpn
keychain advpn
#
ike keychain advpn
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$QVB/1rF1eSK1GnNV87h5hwz1nyUbMy4AOTn/OOg=
pre-shared-key address ipv6 :: 0 key cipher $c$3$hx9hk9YJ6ob83d9/gRUj+lzAC9e8fgM43u0QqF0=
#
vam client name hub
advpn-domain advpn
server primary ip-address 1.0.0.1
pre-shared-key cipher $c$3$+14mD8wfX+c9VlAJ/2ISCYWkJFhGSB7C
user hub password cipher $c$3$e4kTudLVZQF05UozVMu+K6FUHA9sVw==
client enable
#
vam client name hubv6
advpn-domain advpnv6
server primary ipv6-address 1::1
pre-shared-key cipher $c$3$IfwvV0YqBU06mFgod6ZzPzq01JNKWHqyoj9MNFw=
user hubv6 password cipher $c$3$mZvg2zeyVegSW2pAdKYIRQzSxIDftVIq
client enable
#
vam server advpn-domain advpn id 1
pre-shared-key cipher $c$3$RT69GMYemYtP7Dh1IeANRMfHDJ2e1FPu
authentication-method none
server enable
hub-group hub
hub private-address 192.168.0.1
spoke private-address range 192.168.0.1 192.168.0.254
#
vam server advpn-domain advpnv6 id 2
pre-shared-key cipher $c$3$pevar+24D5/bLUeJC0tg59OhptMUII6nz/8ji5E=
authentication-method none
server enable
hub-group hub
hub ipv6 private-address 1::1
spoke ipv6 private-address range 4001::1 4001::2
spoke ipv6 private-address range 4001::1 4001::F
#
return
<Hub>
Spoke1:
<Spoke1>
<Spoke1>dis
<Spoke1>display cu
#
version 7.1.064, Release 0427P22
#
sysname Spoke1
#
ospf 1
area 0.0.0.0
network 8.8.8.8 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
ospfv3 1
area 0.0.0.0
#
#
i
#
interface LoopBack10
ip address 8.8.8.8 255.255.255.0
#
interface Vlan-interface10
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 1.0.0.10 255.255.255.252
ipv6 address 2::1/126
#
#
interface Tunnel1 mode advpn udp
ip address 192.168.0.2 255.255.255.0
ospfv3 1 area 0.0.0.0
source GigabitEthernet0/0
ipv6 address 4001::2/64
tunnel protection ipsec profile advpn
vam client spoke1
vam ipv6 client spoke1v6
t
#
ip route-static 0.0.0.0 0 1.0.0.9
ipv6 route-static :: 0 2::2
#
#
ipsec transform-set advpn
esp encryption-algorithm des-cbc
esp authentication-algorithm sha1
#
ipsec profile advpn isakmp
transform-set advpn
ike-profile advpn
#
ike profile advpn
keychain advpn
#
ike keychain advpn
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$BFn4G+HkxF2gYRtXAvjhsBWAj/rD6NrbczPHVYg=
pre-shared-key address ipv6 :: 128 key cipher $c$3$xoMYbCExdR0kJusUcie1F0hYzMoE12EP5R8mLkg=
#
vam client name spoke1
advpn-domain advpn
server primary ip-address 1.0.0.1
pre-shared-key cipher $c$3$ICITAMN4R+9SZlx3bNYR8lOPdivJ7W5Q
user spoke1 password cipher $c$3$QgSO8bcX97E4qIyMLMtgb+N70RjwYlwj8Q==
client enable
#
vam client name spoke1v6
advpn-domain advpnv6
server primary ipv6-address 1::1
pre-shared-key cipher $c$3$f1kj2V7bDY3xHvK5Y59R1VhgyyKnoaY03yhck1c=
user spoke1v6 password cipher $c$3$/f7EQlnXnuyFtfc/E8kEhsAuHDXfVa5dcRD5
client enable
#
return
<Spoke1>
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
大佬下午好,改了后HUB查看 client fsm 提示是在线了,但是clinet type是spoke,spoke侧查看状态依旧是DUMB
你的vam server advpn-domain advpnv6 id 2里指定的hub地址是1::1啊,还把4001::1指定成了spoke,那肯定啊。
另一个问题里的配置私信了。我是参考这个文档来做的:https://www.h3c.com/cn/d_202404/2087419_30005_0.htm#_Toc162888171
多谢大哥