F1000-AI-60防火墙与华为设备做IPSEC VPN突然故障
- 0关注
- 1收藏,249浏览
问题描述:
分支采用H3C F1000-AI-60与总部华为设备做IPSEC VPN,之前使用正常,突然间隧道中断,由于设备权限原因,目前仅能操作分支机构设备,总部反馈隧道正常,但是分支机构通过IPSEC 诊断故障,且通信异常。总部反馈的配置也进行了核对,都一致,设备重启过,隧道仍然起不来,诊断截图如下。
- 2024-06-05提问
- 举报
-
(0)
把总部的ike和分支的ike配置上图看下吧
(1) 检查主机Host A和Host B能否Ping通各自的IPsec网关,IPsec网关之间是否可以Ping通。
使用ping命令检查网络连接情况。
a. 确保主机能Ping通各自的IPsec网关,IPsec网关之间可以Ping通。
b. 如果故障仍不能排除,请执行步骤(2)。
(2) 检查IPsec网关上到达对端主机所在网段的路由配置是否正确。
在IPsec网关上通过display ip routing-table命令查看路由信息,确保IPsec网关已存在到达对端主机所在网段的路由。
Device A上的路由信息如下:
<DeviceA> display ip routing-table
Destinations : 1 Routes : 1
Destination/Mask Proto Pre Cost NextHop Interface
10.1.2.0/24 Static 60 0 2.2.2.2 GE1/0/2
Device B上的路由信息如下:
<DeviceB> display ip routing-table
Destinations : 1 Routes : 1
Destination/Mask Proto Pre Cost NextHop Interface
10.1.1.0/24 Static 60 0 2.2.3.2 GE1/0/2
如果路由信息有误,请正确配置路由,举例如下所示:
<DeviceA> system-view
[DeviceA] ip route-static 10.1.2.0 24 2.2.2.2
<DeviceB> system-view
[DeviceB] ip route-static 10.1.1.0 24 2.2.3.2
如果故障仍不能排除,请执行步骤(3)。
(3) 检查安全域之间的安全策略配置是否正确。
在Device A上查看安全域及安全策略配置信息,确保如下安全域之间的安全策略已放通:
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策规则,使Device A可以向Device B发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name ipseclocalout
[DeviceA-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceA-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.2.1
[DeviceA-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.3.1
[DeviceA-security-policy-ip-1-ipseclocalout] action pass
[DeviceA-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device A可以接收和处理来自Device B的IPsec隧道协商报文,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name ipseclocalin
[DeviceA-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceA-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceA-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.3.1
[DeviceA-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.2.1
[DeviceA-security-policy-ip-2-ipseclocalin] action pass
[DeviceA-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host A与Host B之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceA-security-policy-ip] rule name untrust-trust
[DeviceA-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceA-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceA-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.2.0 24
[DeviceA-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-4-untrust-trust] action pass
[DeviceA-security-policy-ip-4-untrust-trust] quit
[DeviceA-security-policy-ip] quit
在Device B上查看安全域及安全策略配置信息,确保如下安全域之间的安全策略已放通:
a. 配置安全策略放行Untrust与Local安全域之间的流量,用于设备之间可以建立IPsec隧道。
# 配置名称为ipseclocalout的安全策规则,使Device B可以向Device A发送IPsec隧道协商报文,具体配置步骤如下。
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name ipseclocalout
[DeviceB-security-policy-ip-1-ipseclocalout] source-zone local
[DeviceB-security-policy-ip-1-ipseclocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-ipseclocalout] source-ip-host 2.2.3.1
[DeviceB-security-policy-ip-1-ipseclocalout] destination-ip-host 2.2.2.1
[DeviceB-security-policy-ip-1-ipseclocalout] action pass
[DeviceB-security-policy-ip-1-ipseclocalout] quit
# 配置名称为ipseclocalin的安全策略规则,使Device B可以接收和处理来自Device A的IPsec隧道协商报文,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name ipseclocalin
[DeviceB-security-policy-ip-2-ipseclocalin] source-zone untrust
[DeviceB-security-policy-ip-2-ipseclocalin] destination-zone local
[DeviceB-security-policy-ip-2-ipseclocalin] source-ip-host 2.2.2.1
[DeviceB-security-policy-ip-2-ipseclocalin] destination-ip-host 2.2.3.1
[DeviceB-security-policy-ip-2-ipseclocalin] action pass
[DeviceB-security-policy-ip-2-ipseclocalin] quit
b. 配置安全策略放行Host B与Host A之间的流量
# 配置名称为trust-untrust的安全策略规则,使Host B访问Host A的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name trust-untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceB-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceB-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-3-trust-untrust] destination-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-3-trust-untrust] action pass
[DeviceB-security-policy-ip-3-trust-untrust] quit
# 配置名称为untrust-trust的安全策略规则,使Host A访问Host B的报文可通,具体配置步骤如下。
[DeviceB-security-policy-ip] rule name untrust-trust
[DeviceB-security-policy-ip-4-untrust-trust] source-zone untrust
[DeviceB-security-policy-ip-4-untrust-trust] destination-zone trust
[DeviceB-security-policy-ip-4-untrust-trust] source-ip-subnet 10.1.1.0 24
[DeviceB-security-policy-ip-4-untrust-trust] destination-ip-subnet 10.1.2.0 24
[DeviceB-security-policy-ip-4-untrust-trust] action pass
[DeviceB-security-policy-ip-4-untrust-trust] quit
[DeviceB-security-policy-ip] quit
如果故障仍不能排除,请执行步骤(4)。
(4) 检查IPsec策略配置是否正确。
通过display ipsec policy命令查看本端IPsec网关Device A上,IPsec策略中配置的对端地址(Remote address字段显示内容),和对端IPsec网关Device B上配置的本端地址(Local address字段显示内容,若未配置本端地址,则该地址为应用IPsec策略的接口IP地址)是否相同,Device A的显示信息如下所示:
[DeviceA] display ipsec policy
-----------------------------
IPsec Policy: mypolicy
-----------------------------
Sequence number: 2
Alias: hub1-spoke2
Mode: ISAKMP
-----------------------------
Description: This is my complete policy
Traffic Flow Confidentiality: Enabled
Security data flow: 3002
Selector mode: standard
Local address:2.2.2.1
Remote address: 2.2.3.1
Remote address:
Remote address switchback mode: Enabled
Transform set: completetransform
Device B的显示信息如下所示:
[DeviceB] display ipsec policy
-----------------------------
IPsec Policy: mypolicy
-----------------------------
Sequence number: 2
Alias: hub1-spoke2
Mode: ISAKMP
-----------------------------
Description: This is my complete policy
Traffic Flow Confidentiality: Enabled
Security data flow: 3002
Selector mode: standard
Local address: 2.2.3.1
Remote address: 2.2.2.1
Remote address:
Remote address switchback mode: Enabled
Transform set: completetransform
如果故障仍不能排除,请执行步骤(5)。
(5) 检查IKE profile和IKE proposal配置是否正确。
a. 检查IKE profile的配置,确认两端IPsec网关的本端地址和对端地址配置是否正确。若采用预共享密钥认证,本端和对端的预共享密钥必须相同(通过pre-shared-key命令配置),若采用RSA签名或数字信封认证,需要确保数字证书在有效期内(通过display pki certificate domain命令查看证书有效期),Device A上IKE profile的具体配置举例如下所示:
[DeviceA] ike keychain keychain1
[DeviceA-ike-keychain-keychain1] pre-shared-key address 2.2.3.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceA-ike-keychain-keychain1] quit
[DeviceA] ike profile profile1
[DeviceA-ike-profile-profile1] keychain keychain1
[DeviceA-ike-profile-profile1] local-identity address 2.2.2.1
[DeviceA-ike-profile-profile1] match remote identity address 2.2.3.1 255.255.255.0
[DeviceA-ike-profile-profile1] quit
Device B上IKE profile的具体配置举例如下所示:
[DeviceB] ike keychain keychain1
[DeviceB-ike-keychain-keychain1] pre-shared-key address 2.2.2.1 255.255.255.0 key simple 123456TESTplat&!
[DeviceB-ike-keychain-keychain1] quit
[DeviceB] ike profile profile1
[DeviceB-ike-profile-profile1] keychain keychain1
[DeviceB-ike-profile-profile1] local-identity address 2.2.3.1
[DeviceB-ike-profile-profile1] match remote identity address 2.2.2.1 255.255.255.0
[DeviceB-ike-profile-profile1] quit
b. 检查IPsec网关之间的IKE proposal配置是否一致。在Device A和Device B上通过display ike proposal命令查看IKE proposal配置信息,保证配置参数一致,如下所示:
[DeviceA] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman
method algorithm algorithm group
-----------------------------------------------------------------
default PRE-SHARED-KEY SHA1 DES-CBC Group 1
[DeviceB] display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman
method algorithm algorithm group
-----------------------------------------------------------------
default PRE-SHARED-KEY SHA1 DES-CBC Group 1
如果故障仍不能排除,请执行步骤(6)。
(6) 检查IPsec网关的待保护数据流配置是否正确。
a. 在Device A上通过display ipsec policy命令查看IPsec策略引用的ACL,即Security data flow字段显示内容,如下所示:
[DeviceA] display ipsec policy
-----------------------------
IPsec Policy: mypolicy
-----------------------------
Sequence number: 2
Alias: hub1-spoke2
Mode: ISAKMP
-----------------------------
Description: This is my complete policy
Traffic Flow Confidentiality: Enabled
Security data flow: 3002
然后在Device A上通过命令display acl命令查看编号为3002的ACL规则信息是否与待保护数据流范围一致,显示信息如下:
[Device A] display acl 3002
Advanced IPv4 ACL 3002, 1 rule,
ACL"s step is 5
rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
若上述配置不正确,请按如下方法正确配置待保护数据流范围为Host A所在网段到Host B所在网段:
[DeviceA] acl advanced 3002
[DeviceA-acl-ipv4-adv-3002] rule 0 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[DeviceA-acl-ipv4-adv-3002] quit
[DeviceA] ipsec policy policy2 1 isakmp
[DeviceA-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation
b. 在Device B上通过display ipsec policy命令查看IPsec策略引用的ACL,即Security data flow字段显示内容,如下所示:
[DeviceB] display ipsec policy
-----------------------------
IPsec Policy: mypolicy
-----------------------------
Sequence number: 2
Alias: hub1-spoke2
Mode: ISAKMP
-----------------------------
Description: This is my complete policy
Traffic Flow Confidentiality: Enabled
Security data flow: 3002
然后在Device B上通过命令display acl命令查看编号为3002的ACL规则信息是否与待保护数据流范围一致,显示信息如下:
[Device A] display acl 3002
Advanced IPv4 ACL 3002, 1 rule,
ACL"s step is 5
rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
若上述配置不正确,请按如下方法正确配置待保护数据流范围为Host B所在网段到Host A所在网段:
[DeviceB] acl advanced 3002
[DeviceB-acl-ipv4-adv-3002] rule 0 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
[DeviceB-acl-ipv4-adv-3002] quit
[DeviceB] ipsec policy policy2 1 isakmp
[DeviceB-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation
如果故障仍不能排除
执行debugging命令收集IPsec隧道建立过程中的相关信息,配置方法如下所示。
<DeviceA> terminal debugging
<DeviceA> terminal monitor
<DeviceA> debugging ike all
<DeviceA> debugging ipsec all
- 2024-06-05回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论