F100-C-G
- 0关注
- 1收藏,3067浏览
问题描述:
您好,F100-C-G和MSR830搭建IPSEC VPN,F100-C-G是固定IP,MSR830是动态PPPOE,VPN建立不起来,
F100 debug信息
The policy's acl or ike profile does not match the flow, Name = GE1/0/3, Seqnum = 1
*Sep 30 17:16:45:241 2017 H3C IPSEC/7/EVENT:
MSR830
HD-MSR830>*Jan 1 04:07:29:337 2011 HD-MSR830 IPSEC/7/EVENT:
Sent debug message to all nodes, message type is 0x3.
*Jan 1 04:07:30:497 2011 HD-MSR830 IPSEC/7/EVENT:
Can't find block-flow node.
*Jan 1 04:07:30:497 2011 HD-MSR830 IPSEC/7/PACKET:
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Jan 1 04:07:30:497 2011 HD-MSR830 IPSEC/7/ERROR:
The reason of dropping packet is no available IPsec tunnel.
*Jan 1 04:07:30:497 2011 HD-MSR830 IPSEC/7/EVENT:
Sent SA-Acquire message : SP ID = 0
*Jan 1 04:07:30:497 2011 HD-MSR830 IPSEC/7/EVENT:
Received negotiatiate SA message from IPsec kernel.
*Jan 1 04:07:30:502 2011 HD-MSR830 IPSEC/7/EVENT:
Sent delete SA message to all nodes, message type is 0x16.
*Jan 1 04:07:30:502 2011 HD-MSR830 IPSEC/7/EVENT:
The SA doesn't exist in kernel.
*Jan 1 04:07:35:499 2011 HD-MSR830 IPSEC/7/EVENT:
Can't find block-flow node.
*Jan 1 04:07:35:499 2011 HD-MSR830 IPSEC/7/PACKET:
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Jan 1 04:07:35:499 2011 HD-MSR830 IPSEC/7/ERROR:
The reason of dropping packet is no available IPsec tunnel.
*Jan 1 04:07:35:499 2011 HD-MSR830 IPSEC/7/EVENT:
Sent SA-Acquire message : SP ID = 0
*Jan 1 04:07:35:499 2011 HD-MSR830 IPSEC/7/EVENT:
Received negotiatiate SA message from IPsec kernel.
*Jan 1 04:07:35:504 2011 HD-MSR830 IPSEC/7/EVENT:
Sent delete SA message to all nodes, message type is 0x16.
*Jan 1 04:07:35:504 2011 HD-MSR830 IPSEC/7/EVENT:
The SA doesn't exist in kernel.
*Jan 1 04:07:38:000 2011 HD-MSR830 IPSEC/7/EVENT:
Can't find block-flow node.
*Jan 1 04:07:38:000 2011 HD-MSR830 IPSEC/7/PACKET:
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Jan 1 04:07:38:000 2011 HD-MSR830 IPSEC/7/ERROR:
The reason of dropping packet is no available IPsec tunnel.
*Jan 1 04:07:38:000 2011 HD-MSR830 IPSEC/7/EVENT:
Sent SA-Acquire message : SP ID = 0
*Jan 1 04:07:38:000 2011 HD-MSR830 IPSEC/7/EVENT:
Received negotiatiate SA message from IPsec kernel.
*Jan 1 04:07:38:005 2011 HD-MSR830 IPSEC/7/EVENT:
Sent delete SA message to all nodes, message type is 0x16.
*Jan 1 04:07:38:005 2011 HD-MSR830 IPSEC/7/EVENT:
The SA doesn't exist in kernel.
*Jan 1 04:07:40:499 2011 HD-MSR830 IPSEC/7/EVENT:
Can't find block-flow node.
*Jan 1 04:07:40:499 2011 HD-MSR830 IPSEC/7/PACKET:
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Jan 1 04:07:40:499 2011 HD-MSR830 IPSEC/7/ERROR:
The reason of dropping packet is no available IPsec tunnel.
*Jan 1 04:07:40:499 2011 HD-MSR830 IPSEC/7/EVENT:
Sent SA-Acquire message : SP ID = 0
*Jan 1 04:07:40:499 2011 HD-MSR830 IPSEC/7/EVENT:
Received negotiatiate SA message from IPsec kernel.
*Jan 1 04:07:40:504 2011 HD-MSR830 IPSEC/7/EVENT:
Sent delete SA message to all nodes, message type is 0x16.
*Jan 1 04:07:40:504 2011 HD-MSR830 IPSEC/7/EVENT:
The SA doesn't exist in kernel.
*Jan 1 04:07:41:148 2011 HD-MSR830 IPSEC/7/EVENT:
Can't find block-flow node.
*Jan 1 04:07:41:148 2011 HD-MSR830 IPSEC/7/PACKET:
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Jan 1 04:07:41:148 2011 HD-MSR830 IPSEC/7/ERROR:
The reason of dropping packet is no available IPsec tunnel.
*Jan 1 04:07:41:148 2011 HD-MSR830 IPSEC/7/EVENT:
Sent SA-Acquire message : SP ID = 0
*Jan 1 04:07:41:148 2011 HD-MSR830 IPSEC/7/EVENT:
Received negotiatiate SA message from IPsec kernel.
*Jan 1 04:07:41:152 2011 HD-MSR830 IPSEC/7/EVENT:
Sent delete SA message to all nodes, message type is 0x16.
*Jan 1 04:07:41:152 2011 HD-MSR830 IPSEC/7/EVENT:
The SA doesn't exist in kernel.
*Jan 1 04:07:45:205 2011 HD-MSR830 IPSEC/7/EVENT:
Can't find block-flow node.
*Jan 1 04:07:45:205 2011 HD-MSR830 IPSEC/7/PACKET:
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Jan 1 04:07:45:205 2011 HD-MSR830 IPSEC/7/ERROR:
The reason of dropping packet is no available IPsec tunnel.
*Jan 1 04:07:45:205 2011 HD-MSR830 IPSEC/7/EVENT:
Sent SA-Acquire message : SP ID = 0
*Jan 1 04:07:45:205 2011 HD-MSR830 IPSEC/7/EVENT:
Received negotiatiate SA message from IPsec kernel.
*Jan 1 04:07:45:211 2011 HD-MSR830 IPSEC/7/EVENT:
Sent delete SA message to all nodes, message type is 0x16.
*Jan 1 04:07:45:211 2011 HD-MSR830 IPSEC/7/EVENT:
The SA doesn't exist in kernel.
*Jan 1 04:07:45:497 2011 HD-MSR830 IPSEC/7/EVENT:
Can't find block-flow node.
*Jan 1 04:07:45:497 2011 HD-MSR830 IPSEC/7/PACKET:
Failed to find SA by SP, SP Index = 0, SP Convert-Seq = 65536.
*Jan 1 04:07:45:497 2011 HD-MSR830 IPSEC/7/ERROR:
The reason of dropping packet is no available IPsec tunnel.
*Jan 1 04:07:45:497 2011 HD-MSR830 IPSEC/7/EVENT:
Sent SA-Acquire message : SP ID = 0
*Jan 1 04:07:45:497 2011 HD-MSR830 IPSEC/7/EVENT:
Received negotiatiate SA message from IPsec kernel.
*Jan 1 04:07:45:502 2011 HD-MSR830 IPSEC/7/EVENT:
Sent delete SA message to all nodes, message type is 0x16.
*Jan 1 04:07:45:502 2011 HD-MSR830 IPSEC/7/EVENT:
The SA doesn't exist in kernel.
*Jan 1 04:07:50:499 2011 HD-MSR830 IPSEC/7/EVENT:
Can't find block-flow node.
- 2017-10-02提问
- 举报
-
(0)
最佳答案
<F100>dis cur
#
version 7.1.064, Release 9510P03
#
sysname H3C
#
context Admin id 1
#
ip vpn-instance management
route-distinguisher 1000000000:1
vpn-target 1000000000:1 import-extcommunity
vpn-target 1000000000:1 export-extcommunity
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
nat address-group 1 name NEIWANG
address X.X.X.X X.X.X.X
#
password-recovery enable
#
vlan 1
#
vlan 110
#
vlan 999
#
interface NULL0
#
interface Vlan-interface110
ip address 192.168.110.254 255.255.255.0
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip binding vpn-instance management
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable fiber
#
interface GigabitEthernet1/0/2
port link-mode route
ip binding vpn-instance management
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
duplex full
speed 100
ip address X.X.X.X 255.255.255.252
nat outbound 3001
nat server protocol tcp global 111.198.152.49 81 inside 192.168.0.139 8080
nat server protocol tcp global current-interface 8087 inside 192.168.110.181 8881
nat server protocol tcp global current-interface 8089 inside 192.168.110.181 11010
nat server protocol tcp global current-interface 8092 inside 192.168.110.3 3690
nat server protocol tcp global current-interface 8093 inside 192.168.110.3 22
nat server protocol tcp global current-interface 8094 inside 192.168.110.5 3389
nat server protocol tcp global current-interface 8095 inside 192.168.110.5 8080
nat server protocol tcp global current-interface 8096 inside 192.168.110.5 1433
nat server protocol tcp global current-interface 8097 inside 192.168.110.181 8088
nat server protocol tcp global current-interface 8098 inside 192.168.110.181 81
ipsec apply policy GE1/0/3
#
interface GigabitEthernet1/0/6
port link-mode route
ip address 192.168.254.1 255.255.255.0
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
ip address 192.168.15.1 255.255.255.0
#
interface GigabitEthernet1/0/4
port link-mode bridge
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 999
#
interface GigabitEthernet1/0/5
port link-mode bridge
port access vlan 110
#
object-policy ip Local-Trust
rule 0 pass
#
object-policy ip Local-Untrust
rule 0 pass
#
object-policy ip Trust-Local
rule 0 pass
#
object-policy ip Trust-Untrust
rule 0 pass
#
object-policy ip Untrust-Local
rule 0 pass
#
object-policy ip Untrust-Trust
rule 0 pass
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/6
import interface GigabitEthernet1/0/11
import interface GigabitEthernet1/0/4 vlan 999
#
security-zone name DMZ
import interface Vlan-interface110
import interface GigabitEthernet1/0/5 vlan 110
#
security-zone name Untrust
import interface GigabitEthernet1/0/3
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
zone-pair security source Local destination Trust
object-policy apply ip Local-Trust
#
zone-pair security source Local destination Untrust
object-policy apply ip Local-Untrust
#
zone-pair security source Trust destination Local
object-policy apply ip Trust-Local
#
zone-pair security source Trust destination Untrust
object-policy apply ip Trust-Untrust
#
zone-pair security source Untrust destination Local
object-policy apply ip Untrust-Local
#
zone-pair security source Untrust destination Trust
object-policy apply ip Untrust-Trust
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 61.50.125.213
ip route-static 192.168.0.0 16 192.168.254.2
#
ssh server enable
#
acl advanced 3000
rule 0 permit ip source 192.168.0.0 0.0.255.255 destination 172.16.12.0 0.0.0.255
#
acl advanced 3001
rule 0 deny ip source 192.168.0.0 0.0.255.255 destination 172.16.12.0 0.0.0.255
rule 1 permit ip
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$UbIhNnPevyKUwfpm$LqR3+yg1IjNct39MkOR0H0iQXLkYB3jMqM4vbAeoXOhbabIIFnjJPEGR00YiYA1Sz4LiY3FmEdru2fOLMb1shQ==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set dhcc
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec transform-set GE1/0/3_IPv4_1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy-template GE1/0/3 1
transform-set GE1/0/3_IPv4_1
security acl 3000
local-address X.X.X.X
ike-profile GE1/0/3_IPv4_1
#
ipsec policy GE1/0/3 1 isakmp template GE1/0/3
#
ike identity fqdn dhcc
#
ike profile dhcc
keychain dhcc
exchange-mode aggressive
local-identity fqdn dhcc
match remote identity fqdn dhcc-hd
proposal 1
#
ike profile GE1/0/3_IPv4_1
keychain GE1/0/3_IPv4_1
exchange-mode aggressive
local-identity fqdn dhcc
match remote identity fqdn dhcc-hd
proposal 65535
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike proposal 65535
encryption-algorithm 3des-cbc
authentication-algorithm md5
description GE1/0/3_IPv4_1
#
ike keychain dhcc
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$Pb6M5BkKWRwMq8MxuQgCviUBDDDLekafUw==
#
ike keychain GE1/0/3_IPv4_1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$M/KW5EXlGkeDNg2mmq/5cTnAlhRt2JU8tQ==
#
ip https enable
#
return
<H3C>
<H3C>dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
4 61.135.136.94 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
<F100>dis ipsec sa
-----------------------------------------------------------------------------------------------------
[BEGIN] 2017/9/30 17:25:17
<HD-MSR830>dis cur
#
version 7.1.064, Release 0605P05
#
sysname HD-MSR830
#
telnet server enable
#
dialer-group 1 rule ip permit
#
ip load-sharing mode per-flow src-ip global
#
dhcp enable
dhcp server always-broadcast
#
dns proxy enable
#
password-recovery enable
#
vlan 1
#
dhcp server ip-pool lan1
gateway-list 172.16.12.1
network 172.16.12.0 mask 255.255.255.0
address range 172.16.12.2 172.16.12.254
dns-list 202.106.0.20 202.106.46.151
#
controller Cellular0/0
#
interface Aux0
#
interface Dialer0
ppp chap password cipher $c$3$Yoh2gX8T+WU0/saXEA7Uj0SJhnZCVVxzz2o/
ppp chap user qs010311
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user qs010311 password cipher $c$3$rezTBdx9L1jKIBuapGShibAj441fI88Pvq0+
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
nat outbound 3001
ipsec apply policy dhcc-hd
#
interface Dialer1
#
interface Dialer2
#
interface Dialer3
#
interface Dialer4
#
interface Dialer5
#
interface Dialer6
#
interface Dialer7
#
interface Dialer8
#
interface Dialer1023
#
interface Virtual-Template0
#
interface NULL0
#
interface Vlan-interface1
ip address 172.16.12.1 255.255.255.0
tcp mss 1280
#
interface GigabitEthernet0/0
port link-mode route
description Single_Line1
combo enable copper
pppoe-client dial-bundle-number 0
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2
port link-mode bridge
#
interface GigabitEthernet0/3
port link-mode bridge
#
interface GigabitEthernet0/4
port link-mode bridge
#
interface GigabitEthernet0/5
port link-mode bridge
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
authentication-mode none
user-role network-admin
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
ip route-static 0.0.0.0 0 Dialer0
#
acl advanced 3000
rule 0 permit ip source 172.16.12.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
#
acl advanced 3001
rule 0 deny ip source 172.16.12.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
rule 1 permit ip
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$X99HB388dmkmxJ2v$nkZTin5R9tbXK00IqoZH+WSPAH425neOc0OFg+EKCV4CbcGyPVhv91CyRch7nzP8RonTj09mcQrOn1sNP6x2Fw==
service-type telnet http
authorization-attribute user-role network-admin
#
ipsec transform-set dhcc-hd
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy dhcc-hd 1 isakmp
transform-set dhcc-hd
security acl 3000
remote-address X.X.X.X
ike-profile dhcc-hd
#
ipsec policy hdcc-hd 1 isakmp
remote-address X.X.X.X
#
ike identity fqdn dhcc-hd
#
ike profile dhcc-hd
keychain dhcc-hd
exchange-mode aggressive
local-identity fqdn dhcc-hd
match remote identity fqdn dhcc
match remote identity address X.X.X.X 255.255.255.255
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
authentication-algorithm md5
#
ike keychain dhcc-hd
pre-shared-key address X.X.X.X 255.255.255.255 key cipher $c$3$OIPi2GpTwKTcqEGKZchvGisi6OnF95KrWQ==
#
ip http enable
#
wlan global-configuration
control-address disable
#
wlan ap-group default-group
#
cloud-management server domain oasis.h3c.com
#
return
<HD-MSR830>
<HD-MSR830>
<HD-MSR830>dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
3 X.X.X.X RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
<HD-MSR830>dis ipsec sa
[END] 2017/9/30 17:25:39
- 2017-10-02回答
- 评论(6)
- 举报
-
(0)
# ipsec policy-template GE1/0/3 1 transform-set GE1/0/3_IPv4_1 security acl 3000 //删除,模板方式总部不用写acl,两端都reset ipsec sa、reset ike sa,只能在分支发起ipsec,触发形成隧道 local-address X.X.X.X ike-profile GE1/0/3_IPv4_1
谢谢!还有一个问题,我在总部有一些服务器,用公网地址加端口号,作了一对一映射,为什么在之前华为的路由器上能访问9undo firewall session link-state check tcp),在H3C的上面却不行,是不是也得undo firewall session link-state check tcp?
还是起不来!
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明