防火墙F1000 IPSce vpn第二协商连接不上成功
- 0关注
- 0收藏,469浏览
问题描述:
第一协商建立起来,第二协商为建立
<FW|SecPath F1000>display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
708 112.20.198.109/1841 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
<FW|SecPath F1000>*Jul 10 18:12:48:767 2024 FW|SecPath F1000 IKE/7/EVENT: Received packet successfully.
*Jul 10 18:12:48:767 2024 FW|SecPath F1000 IKE/7/EVENT: Ignore NAT keepalive packet.
<H3C>display ike sa
Connection-ID Local Remote Flag DOI
------------------------------------------------------------------
55 100.118.84.223 223.106.255.2/4500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
组网及组网描述:
<FW|SecPath F1000>*Jul 10 18:10:28:770 2024 FW|SecPath F1000 IKE/7/EVENT: Received packet successfully.
*Jul 10 18:10:28:770 2024 FW|SecPath F1000 IKE/7/EVENT: Ignore NAT keepalive packet.
*Jul 10 18:10:48:769 2024 FW|SecPath F1000 IKE/7/EVENT: Received packet successfully.
*Jul 10 18:10:48:769 2024 FW|SecPath F1000 IKE/7/EVENT: Ignore NAT keepalive packet.
*Jul 10 18:11:08:769 2024 FW|SecPath F1000 IKE/7/EVENT: Received packet successfully.
*Jul 10 18:11:08:769 2024 FW|SecPath F1000 IKE/7/EVENT: Ignore NAT keepalive packet.
<FW|SecPath F1000>display ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
708 112.20.198.109/1841 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
<FW|SecPath F1000>*Jul 10 18:12:48:767 2024 FW|SecPath F1000 IKE/7/EVENT: Received packet successfully.
*Jul 10 18:12:48:767 2024 FW|SecPath F1000 IKE/7/EVENT: Ignore NAT keepalive packet.
忽略NAT保活数据包
<FW|SecPath F1000>display acl all
Advanced IPv4 ACL 3000, 2 rules,
ACL's step is 5
rule 11 deny ip source 172.16.0.0 0.0.255.255 destination 192.168.8.0 0.0.0.255
rule 100 permit ip (7111 times matched)
<H3C>display ike sa
Connection-ID Local Remote Flag DOI
------------------------------------------------------------------
55 100.118.84.223 223.106.255.2/4500 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
<H3C>*Jul 10 18:12:24:731 2024 H3C IKE/7/EVENT: Send udp packet by socket 45 SrcPort 4500.
*Jul 10 18:12:24:731 2024 H3C IKE/7/EVENT: vrf = 0, local = 100.118.84.223, remote = 223.106.255.2/4500
Sent data to socket successfully.
*Jul 10 18:12:44:731 2024 H3C IKE/7/EVENT: Send udp packet by socket 45 SrcPort 4500.
*Jul 10 18:12:44:731 2024 H3C IKE/7/EVENT: vrf = 0, local = 100.118.84.223, remote = 223.106.255.2/4500
Sent data to socket successfully.
<H3C>display acl all
Advanced IPv4 ACL 3888, 2 rules,
ACL's step is 5
rule 11 deny ip source 192.168.8.0 0.0.0.255 destination 172.16.0.0 0.0.255.255 (6 times matched)
rule 100 permit ip (1673 times matched)
Advanced IPv4 ACL 3999, 1 rule,
ACL's step is 5
rule 10 permit ip source 192.168.8.0 0.0.0.255 destination 172.16.0.0 0.0.255.255 (6 times matched)
- 2024-07-10提问
- 举报
-
(0)
最佳答案
可参考如下案例检查下配置:
客户现场有多个分支,为了实现总部与分支之间互通,且要确保数据传递的安全性,总部分支之间需要使用ipsec对数据进行加密。由于存在多个分支,为了实现总部配置的简洁性,总部采用模板方式。用设备的loopback地址模拟内网PC。
第 1 步:总部路由器配置
#
ike proposal 1 //配置ike proposal
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
#
ike keychain 1 //创建ike keychain,匹配分支1地址
pre-shared-key address 10.88.142.120 255.255.255.255 key simple 123
#
ike keychain 2 //创建ike keychain,匹配分支2地址
pre-shared-key address 10.88.142.121 255.255.255.255 key simple 123
#
ike profile 1 //创建ike proflle,关联keychain 1
keychain 1
local-identity address 10.153.42.93
match remote identity address 10.88.142.120 255.255.255.255
proposal 1
#
ike profile 2 //创建ike proflle,关联keychain 2
keychain 2
local-identity address 10.153.42.93
match remote identity address 10.88.142.121 255.255.255.255
proposal 1
#
ipsec transform-set 1 //配置ipsec安全提议
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
#
ipsec policy-template fz 1 //创建分支模板1
transform-set 1
local-address 10.153.42.93
remote-address 10.88.142.120
ike-profile 1
#
ipsec policy-template fz 2 //创建分支模板2
transform-set 1
local-address 10.153.42.93
remote-address 10.88.142.121
ike-profile 2
##
ipsec policy aaa 1 isakmp template fz //创建ipsec策略模板
#
interface LoopBack0 //配置测试地址
ip address 1.1.1.1 255.255.255.255
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
ip address 10.153.42.93 255.255.255.0
ipsec apply policy aaa
#
第 2 步:分支1(V7)路由器配置
#
acl advanced 3210 //创建ipsec感兴趣流
rule 0 permit ip source 3.3.3.3 0 destination 1.1.1.1 0
#
#
ike keychain 2 //创建ike keychain,指向总部ip地址
pre-shared-key address 10.153.42.93 255.255.255.255 key simple 123
#
ike proposal 1 //创建ike proposal
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike profile 1 //创建ike profile,关联ike keychain和proposal
keychain 1
local-identity address 10.88.142.121 //指本端地址用local-identity address,不要使用match local address
match remote identity address 10.153.42.93 255.255.255.255
proposal 1
#
ipsec transform-set 1 //创建ipsec安全提议
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy aaa 1 isakmp //创建ipsec策略
transform-set 1
security acl 3210
local-address 10.88.142.121
remote-address 10.153.42.93
ike-profile 1
#
interface LoopBack0 //配置测试地址
ip address 3.3.3.3 255.255.255.255
#
interface GigabitEthernet2/0/0 //公网口下发ipsec策略
ip address 10.88.142.121 255.255.255.0
ipsec apply policy aaa
#
第 3 步:分支2(V5)路由器配置
#
acl number 3210 //配置ipsec感兴趣流
rule 0 permit ip source 2.2.2.2 0 destination 1.1.1.1 0
#
ike proposal 1 //配置ipsec proposal
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike peer 1 //配置ike 对等体
proposal 1
pre-shared-key simple 123
remote-address 10.153.42.93
#
ipsec transform-set 1 //配置ipsec安全提议
encapsulation-mode tunnel
transform esp
esp authentication-algorithm md5
esp encryption-algorithm 3des
#
ipsec policy aaa 1 isakmp //配置ipsec策略
security acl 3210
ike-peer 1
transform-set 1
#
interface LoopBack0 //配置测试地址
ip address 2.2.2.2 255.255.255.255
#
interface GigabitEthernet3/0/0 //公网口下发ipsec策略
port link-mode route
ip address 10.88.142.120 255.255.255.0
ipsec policy aaa
#
第 4 步:分支1与总部互通测试
<FZ1>ping -a 3.3.3.3 2.2.2.2
Ping 2.2.2.2 (2.2.2.2) from 3.3.3.3: 56 data bytes, press CTRL_C to break
56 bytes from 2.2.2.2: icmp_seq=0 ttl=255 time=0.290 ms
56 bytes from 2.2.2.2: icmp_seq=1 ttl=255 time=0.170 ms
56 bytes from 2.2.2.2: icmp_seq=2 ttl=255 time=0.182 ms
56 bytes from 2.2.2.2: icmp_seq=3 ttl=255 time=0.144 ms
56 bytes from 2.2.2.2: icmp_seq=4 ttl=255 time=0.140 ms
--- Ping statistics for 2.2.2.2 ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.140/0.185/0.290/0.055 ms
[FZ1]dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
24 10.153.42.93 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING
<FZ1>dis ipsec sa
-------------------------------
Interface: GigabitEthernet2/0/0
-------------------------------
-----------------------------
IPsec policy: aaa
Sequence number: 2
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1444
Tunnel:
local address: 10.88.142.121
remote address: 10.153.42.93
Flow:
sour addr: 3.3.3.3/255.255.255.255 port: 0 protocol: ip
dest addr: 1.1.1.1/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 3934162279 (0xea7e8d67)
Connection ID: 115964116993
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/2397
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 2922365795 (0xae2fc363)
Connection ID: 158913789952
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/2397
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
第 5 步:分支2与总部互通测试
<FZ2> PING 1.1.1.1: 56 data bytes, press CTRL_C to break
Request time out
Reply from 1.1.1.1: bytes=56 Sequence=1 ttl=255 time=35 ms
Reply from 1.1.1.1: bytes=56 Sequence=2 ttl=255 time=47 ms
Reply from 1.1.1.1: bytes=56 Sequence=3 ttl=255 time=35 ms
Reply from 1.1.1.1: bytes=56 Sequence=4 ttl=255 time=35 ms
--- 1.1.1.1 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 35/38/47 ms
<FZ2X>dis ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------------
7 10.153.42.93 RD|ST 1 IPSEC
8 10.153.42.93 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT RK—REKEY
<FZ2>dis ipsec sa
===============================
Interface: GigabitEthernet3/0/0
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "aaa"
sequence number: 1
acl version: ACL4
mode: isakmp
-----------------------------
PFS: N, DH group: none
tunnel:
local address: 10.88.142.120
remote address: 10.153.42.93
flow:
sour addr: 2.2.2.2/255.255.255.255 port: 0 protocol: IP
dest addr: 1.1.1.1/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 0x1FFC45F4(536626676)
transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5
in use setting: Tunnel
connection id: 7
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3560
anti-replay detection: Enabled
anti-replay window size(counter based): 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 0x201F0CBD(538905789)
transform: ESP-ENCRYPT-3DES ESP-AUTH-MD5
in use setting: Tunnel
connection id: 8
sa duration (kilobytes/sec): 1843200/3600
sa remaining duration (kilobytes/sec): 1843199/3560
anti-replay detection: Enabled
anti-replay window size(counter based): 32
udp encapsulation used for nat traversal: N
第 6 步:总部ike及ipsec sa建立情况
<H3C>dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
45 10.88.142.120 RD IPsec
44 10.88.142.121 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING
<H3C>dis ipsec sa
-------------------------------
Interface: GigabitEthernet0/0
-------------------------------
-----------------------------
IPsec policy: aaa
Sequence number: 1
Mode: Template
-----------------------------
Tunnel id: 1
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1444
Tunnel:
local address: 10.153.42.93
remote address: 10.88.142.120
Flow:
sour addr: 1.1.1.1/255.255.255.255 port: 0 protocol: ip
dest addr: 2.2.2.2/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 538905789 (0x201f0cbd)
Connection ID: 55834574850
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3435
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 536626676 (0x1ffc45f4)
Connection ID: 47244640259
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/3435
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
-----------------------------
IPsec policy: aaa
Sequence number: 1
Mode: Template
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1444
Tunnel:
local address: 10.153.42.93
remote address: 10.88.142.121
Flow:
sour addr: 1.1.1.1/255.255.255.255 port: 0 protocol: ip
dest addr: 3.3.3.3/255.255.255.255 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 2922365795 (0xae2fc363)
Connection ID: 73014444033
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/2146
Max received sequence-number: 4
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: N
Status: Active
[Outbound ESP SAs]
SPI: 3934162279 (0xea7e8d67)
Connection ID: 73014444032
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-MD5
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1843199/2146
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
Status: Active
- 2024-07-10回答
- 评论(0)
- 举报
-
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论