模拟器支持GRE OVER IPSEC + Radius认证配置吗? 使用了模拟器自带的Radius 服务器 配置后 ike sa 协商时flag 显示unknown ,不使用radius状态正常,请求指导一下,配置是不是正常,还是模拟器自带的radius服务器有问题:
#
radius scheme rd
primary authentication 192.168.56.102 key cipher $c$3$op42b0K52Q04g7U3ExN/9EPM08yyMBojvpwnqQ==
primary accounting 192.168.56.102 key cipher $c$3$fySuMC1e6no5WluAFmZv7Fro9GzTqvFCz6040A==
user-name-format without-domain
#
domain system
authentication ike radius-scheme rd local
authorization ike radius-scheme rd local
#
domain default enable system
#
local-user whfz class network
password cipher $c$3$wGXxbbW8dlj+Pif/Ik5gdgIo5NMV0gPg7kobVw==
service-type ike
authorization-attribute user-role network-operator
#
ipsec transform-set tranfz
encapsulation-mode transport
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy bjzb 1 isakmp
transform-set tranfz
security acl 3000
remote-address 100.2.2.1
ike-profile shfz
sa trigger-mode auto
#
ipsec policy bjzb 2 isakmp
transform-set tranfz
security acl 3001
remote-address whfz
ike-profile whfz
sa trigger-mode auto
#
ike identity fqdn bjzb
#
ike profile shfz
keychain shfz
local-identity address 100.1.1.1
match remote identity address 100.2.2.1 255.255.255.0
proposal 1
#
ike profile whfz
keychain whfz
dpd interval 10 on-demand
exchange-mode aggressive
local-identity fqdn bjzb
match remote identity fqdn whfz
proposal 1
client-authentication xauth
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike keychain shfz
pre-shared-key address 100.2.2.1 255.255.255.255 key cipher $c$3$dIIkVJ3OVn/y51BMvCWvrDjwL4GDDTyoRoqAqg==
#
ike keychain whfz
pre-shared-key hostname whfz key cipher $c$3$haX6gboNe29WSGvYzVTzrlsOHpxXoTT00frs1g==
#
-------------------------------------------------------------------------------------------------------------
<bjzb>disp ike sa
Connection-ID Local Remote Flag DOI
-------------------------------------------------------------------------
1 100.1.1.1 100.2.2.1 RD IPsec
14 100.1.1.1 100.3.3.1 Unknown IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
(0)
最佳答案
IKE SA状态显示"Unknown"通常与IKE profile配置错误相关,具体解决方法如下:
检查IKE profile引用完整性
[设备] ike profile profile1
keychain keychain1 # 必须包含预共享密钥
match remote identity # 需与对端ID匹配
client-authentication xauth # 启用扩展认证时需关联RADIUS方案
aaa authorization domain ike # 指定AAA授权域
RADIUS服务器配置要点
radius scheme ike-scheme
primary authentication 1.1.1.1 1812 # 服务器IP/端口
key authentication cipher $密码 # 共享密钥加密方式
user-name-format without-domain # 用户名格式
关键调试方法
debugging ike all
debugging radius all
display ike sa verbose # 查看SA详细状态
特殊场景处理
acl advanced 3101
rule permit gre source 1.1.1.1 0 destination 2.2.2.2 0
模拟器限制说明
若确认配置无误后问题仍存在,建议导出完整的配置文件和调试日志(含报文交互)进行深度分析。
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论