• 全部
  • 经验案例
  • 典型配置
  • 技术公告
  • FAQ
  • 漏洞说明
  • 全部
  • 全部
  • 大数据引擎
  • 知了引擎
产品线
搜索
取消
案例类型
发布者
是否解决
是否官方
时间
搜索引擎
匹配模式
高级搜索

关于防火墙搭建V.PN的问题,F1000-AK115

2018-10-21提问
  • 0关注
  • 1收藏,1872浏览
粉丝:0人 关注:0人

问题描述:

医院搭建的新农合V.PN,现在不知道为什么隧道建立不起来,我在接入交换机上面做了镜像端口把V.PN的接口镜像到了我自己的电脑上并且抓包,发现没有目标地址是对端的包,是否可以判定为V.PN设备配置或硬件有问题。

组网及组网描述:


最佳答案

已采纳
粉丝:1人 关注:0人

这个是做的什么vpn呀,我看你的vpn画在交换机和服务器之间,难道是做的gre vpn?

如果是GRE的话,可以参照下面链接的案例看看:

http://www.h3c.com/cn/d_201804/1075309_30005_0.htm#_Toc509595413

 

1、 通过display ike sa 命令查看ike sa的建立情况

<H3C>dis ike sa

    total phase-1 SAs:  1

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

     1             34.1.1.2        RD            1     IPSEC

     3             34.1.1.2        RD            2     IPSEC

 ipsec排查步骤

一阶段无法建立排查步骤;

1disp ike proposal查看两端的ike proposal是否相同

发起端

disp ike proposal

 priority authentication authentication encryption Diffie-Hellman duration

              method       algorithm    algorithm     group       (seconds)

---------------------------------------------------------------------------

  1        PRE_SHARED     SHA         DES_CBC         MODP_768       86400

  2        RSA_SIG        SHA         DES_CBC         MODP_768       86400

  default  PRE_SHARED     SHA         DES_CBC         MODP_768       86400

 

响应端

disp ike proposal

 priority authentication authentication encryption Diffie-Hellman duration

              method       algorithm    algorithm     group       (seconds)

---------------------------------------------------------------------------

  2        RSA_SIG        SHA         DES_CBC         MODP_768       86400

  default  PRE_SHARED     SHA         DES_CBC         MODP_768       86400

IKE提议在配置的时候具有优先级,使用主模式建立IKE一阶段SA时,发送时按照优先级顺序发送所有的IKE提议,

响应端将收到的IKE提议,依据收到的顺序与本端所有提议进行比较,选中符合的一个继续协商。

若比较失败,则中断协商。

 

野蛮模式协商能力差的表现为:发起方采用主模式时可以把自己所有的IKE proposal都发过去,但野蛮模式却只能发第一个,这种情况下会出现当第一个不能匹配响应端的安全提议是协商就会失败

 

2)通过display ike peer 查看两端的密码是否配置相同

dis ike peer

 

---------------------------

 IKE Peer: r4

   exchange mode: aggressive on phase 1

   pre-shared-key simple h3c

   peer id type: name

   peer ip address: 0.0.0.0 ~ 255.255.255.255

   local ip address:

   peer name: r4

   nat traversal: enable

   dpd: 1

---------------------------

通过debu ike 报文信息你可以看到如下信息:

ike exchange debugging switch is on

ike error debugging switch is on

 

ike 安全提议配置不匹配时在接收端会有以下报错:

 

%Mar 13 15:56:10:359 2012 H3C IKE/4/IKE_PACKET_DROPPED: IKE packet dropped: (src addr: 34.1.1.2, dst addr: 23.1.1.1) with I_COOKIE ad9a14090ec90cdc and R_COOKIE 0000000000000000, because of 'No proposal is chosen' from payload PROPOSAL.

在发起端的debug信息

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required KEY_EXCH

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required ID

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing...

 

ike pre-shared-key 配置有问题时发起端的debug报错信息

 

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required KEY_EXCH

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required ID

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required AUTH

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange run: fail to receive message

在这个阶段时

二阶段无法建立排查方法

1)当ipsec proposal 配置不一样时;

通过display ike sa 可以看到:

   dis ike sa

 total phase-1 SAs:  1

 connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

     5             34.1.1.1        RD|ST         1     IPSEC

一阶段可以正常建立。

            在接收端会有报错信息:

 

%Mar 14 09:12:08:485 2012 H3C IKE/4/IKE_PACKET_DROPPED: IKE packet dropped: (src addr: 34.1.1.2, dst addr: 23.1.1.1) with I_COOKIE 464e5c94b714eb54 and R_COOKIE c00de3cfe9e93621, because of 'No proposal is chosen' from payload PROPOSAL.

在发起端的debu信息如下:

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange create(i): 80cbf30

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing...

*Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange create(r): 80d2af0

*Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange validate: checking for required INFO

*Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80cbf30

*Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80d2af0

*Mar 14 09:22:00:500 2012 H3C IKE/7/DEBUG: Connection name is 34.1.1.1,34.1.1.2,500,0;#h3c,1-15

*Mar 14 09:22:00:500 2012 H3C IKE/7/DEBUG: Check connection: SA for 34.1.1.1,34.1.1.2,500,0;#h3c,1-15 missing

*Mar 14 09:22:00:500 2012 H3C IKE/7/DEBUG: exchange lookup : name = 34.1.1.1,34.1.1.2,500,0;#h3c,1-15 phase = 2

 

2)当acl配置不真确时:

在接受端报错信息如下:

%Mar 14 09:25:44:906 2012 H3C IKE/4/IKE_PACKET_DROPPED: IKE packet dropped: (src addr: 34.1.1.2, dst addr: 23.1.1.1) with I_COOKIE 464e5c94b714eb54 and R_COOKIE c00de3cfe9e93621, because of 'No IPSec policy found' from payload PROPOSAL.

 

在发起端的debu 信息如下:

 

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange create(i): 80d45f0

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing...

*Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange create(r): 80daf70

*Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange validate: checking for required INFO

*Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80d45f0

*Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80daf70

*Mar 14 09:32:55:485 2012 H3C IKE/7/DEBUG: Connection name is 34.1.1.1,34.1.1.2,500,0;#h3c,1-31

*Mar 14 09:32:55:485 2012 H3C IKE/7/DEBUG: Check connection: SA for 34.1.1.1,34.1.1.2,500,0;#h3c,1-31 missing

*Mar 14 09:32:55:485 2012 H3C IKE/7/DEBUG: exchange lookup : name = 34.1.1.1,34.1.1.2,500,0;#h3c,1-31 phase = 2

 

排查到此,ipsec 配置问题已经完全结束,下面是正常建立ike时的debu信息。

 

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange create(i): 80d45f0

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing...

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 1, advancing...

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 2, advancing...

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: finalize exchange: 2d010100/ffffff00 -> c010100/ffffff00

*Mar 14 09:34:38:875 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80d45f0

1、 通过display ike sa 命令查看ike sa的建立情况

<H3C>dis ike sa

    total phase-1 SAs:  1

    connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

     1             34.1.1.2        RD            1     IPSEC

     3             34.1.1.2        RD            2     IPSEC

 

一阶段无法建立排查步骤;

1disp ike proposal查看两端的ike proposal是否相同

发起端

disp ike proposal

 priority authentication authentication encryption Diffie-Hellman duration

              method       algorithm    algorithm     group       (seconds)

---------------------------------------------------------------------------

  1        PRE_SHARED     SHA         DES_CBC         MODP_768       86400

  2        RSA_SIG        SHA         DES_CBC         MODP_768       86400

  default  PRE_SHARED     SHA         DES_CBC         MODP_768       86400

 

响应端

disp ike proposal

 priority authentication authentication encryption Diffie-Hellman duration

              method       algorithm    algorithm     group       (seconds)

---------------------------------------------------------------------------

  2        RSA_SIG        SHA         DES_CBC         MODP_768       86400

  default  PRE_SHARED     SHA         DES_CBC         MODP_768       86400

IKE提议在配置的时候具有优先级,使用主模式建立IKE一阶段SA时,发送时按照优先级顺序发送所有的IKE提议,

响应端将收到的IKE提议,依据收到的顺序与本端所有提议进行比较,选中符合的一个继续协商。

若比较失败,则中断协商。

 

野蛮模式协商能力差的表现为:发起方采用主模式时可以把自己所有的IKE proposal都发过去,但野蛮模式却只能发第一个,这种情况下会出现当第一个不能匹配响应端的安全提议是协商就会失败

 

2)通过display ike peer 查看两端的密码是否配置相同

dis ike peer

 

---------------------------

 IKE Peer: r4

   exchange mode: aggressive on phase 1

   pre-shared-key simple h3c

   peer id type: name

   peer ip address: 0.0.0.0 ~ 255.255.255.255

   local ip address:

   peer name: r4

   nat traversal: enable

   dpd: 1

---------------------------

通过debu ike 报文信息你可以看到如下信息:

ike exchange debugging switch is on

ike error debugging switch is on

 

ike 安全提议配置不匹配时在接收端会有以下报错:

 

%Mar 13 15:56:10:359 2012 H3C IKE/4/IKE_PACKET_DROPPED: IKE packet dropped: (src addr: 34.1.1.2, dst addr: 23.1.1.1) with I_COOKIE ad9a14090ec90cdc and R_COOKIE 0000000000000000, because of 'No proposal is chosen' from payload PROPOSAL.

在发起端的debug信息

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required KEY_EXCH

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required ID

*Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing...

 

ike pre-shared-key 配置有问题时发起端的debug报错信息

 

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required KEY_EXCH

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required ID

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required AUTH

*Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange run: fail to receive message

在这个阶段时

二阶段无法建立排查方法

1)当ipsec proposal 配置不一样时;

通过display ike sa 可以看到:

   dis ike sa

 total phase-1 SAs:  1

 connection-id  peer            flag        phase   doi

  ----------------------------------------------------------

     5             34.1.1.1        RD|ST         1     IPSEC

一阶段可以正常建立。

            在接收端会有报错信息:

 

%Mar 14 09:12:08:485 2012 H3C IKE/4/IKE_PACKET_DROPPED: IKE packet dropped: (src addr: 34.1.1.2, dst addr: 23.1.1.1) with I_COOKIE 464e5c94b714eb54 and R_COOKIE c00de3cfe9e93621, because of 'No proposal is chosen' from payload PROPOSAL.

在发起端的debu信息如下:

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange create(i): 80cbf30

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing...

*Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange create(r): 80d2af0

*Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange validate: checking for required INFO

*Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80cbf30

*Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80d2af0

*Mar 14 09:22:00:500 2012 H3C IKE/7/DEBUG: Connection name is 34.1.1.1,34.1.1.2,500,0;#h3c,1-15

*Mar 14 09:22:00:500 2012 H3C IKE/7/DEBUG: Check connection: SA for 34.1.1.1,34.1.1.2,500,0;#h3c,1-15 missing

*Mar 14 09:22:00:500 2012 H3C IKE/7/DEBUG: exchange lookup : name = 34.1.1.1,34.1.1.2,500,0;#h3c,1-15 phase = 2

 

2)当acl配置不真确时:

在接受端报错信息如下:

%Mar 14 09:25:44:906 2012 H3C IKE/4/IKE_PACKET_DROPPED: IKE packet dropped: (src addr: 34.1.1.2, dst addr: 23.1.1.1) with I_COOKIE 464e5c94b714eb54 and R_COOKIE c00de3cfe9e93621, because of 'No IPSec policy found' from payload PROPOSAL.

 

在发起端的debu 信息如下:

 

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange create(i): 80d45f0

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing...

*Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange create(r): 80daf70

*Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange validate: checking for required INFO

*Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80d45f0

*Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80daf70

*Mar 14 09:32:55:485 2012 H3C IKE/7/DEBUG: Connection name is 34.1.1.1,34.1.1.2,500,0;#h3c,1-31

*Mar 14 09:32:55:485 2012 H3C IKE/7/DEBUG: Check connection: SA for 34.1.1.1,34.1.1.2,500,0;#h3c,1-31 missing

*Mar 14 09:32:55:485 2012 H3C IKE/7/DEBUG: exchange lookup : name = 34.1.1.1,34.1.1.2,500,0;#h3c,1-31 phase = 2

 

排查到此,ipsec 配置问题已经完全结束,下面是正常建立ike时的debu信息。

 

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange create(i): 80d45f0

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing...

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 1, advancing...

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 2, advancing...

*Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: finalize exchange: 2d010100/ffffff00 -> c010100/ffffff00

*Mar 14 09:34:38:875 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80d45f0


如果排查起来困难的话,可以打电话给400 ,让他们帮你排查一下

哈配哈哈配 发表时间:2018-10-21 更多>>

是IPSEC

zhiliao_eQYBm 发表时间:2018-10-21

1、 通过display ike sa 命令查看ike sa的建立情况 <H3C>dis ike sa total phase-1 SAs: 1 connection-id peer flag phase doi ---------------------------------------------------------- 1 34.1.1.2 RD 1 IPSEC 3 34.1.1.2 RD 2 IPSEC 一阶段无法建立排查步骤; 1)disp ike proposal查看两端的ike proposal是否相同 发起端 disp ike proposal priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds) --------------------------------------------------------------------------- 1 PRE_SHARED SHA DES_CBC MODP_768 86400 2 RSA_SIG SHA DES_CBC MODP_768 86400 default PRE_SHARED SHA DES_CBC MODP_768 86400 响应端 disp ike proposal priority authentication authentication encryption Diffie-Hellman duration method algorithm algorithm group (seconds) --------------------------------------------------------------------------- 2 RSA_SIG SHA DES_CBC MODP_768 86400 default PRE_SHARED SHA DES_CBC MODP_768 86400 IKE提议在配置的时候具有优先级,使用主模式建立IKE一阶段SA时,发送时按照优先级顺序发送所有的IKE提议, 响应端将收到的IKE提议,依据收到的顺序与本端所有提议进行比较,选中符合的一个继续协商。 若比较失败,则中断协商。 野蛮模式协商能力差的表现为:发起方采用主模式时可以把自己所有的IKE proposal都发过去,但野蛮模式却只能发第一个,这种情况下会出现当第一个不能匹配响应端的安全提议是协商就会失败。 2)通过display ike peer 查看两端的密码是否配置相同 dis ike peer --------------------------- IKE Peer: r4 exchange mode: aggressive on phase 1 pre-shared-key simple h3c peer id type: name peer ip address: 0.0.0.0 ~ 255.255.255.255 local ip address: peer name: r4 nat traversal: enable dpd: 1 --------------------------- 通过debu ike 报文信息你可以看到如下信息: ike exchange debugging switch is on ike error debugging switch is on 当ike 安全提议配置不匹配时在接收端会有以下报错: %Mar 13 15:56:10:359 2012 H3C IKE/4/IKE_PACKET_DROPPED: IKE packet dropped: (src addr: 34.1.1.2, dst addr: 23.1.1.1) with I_COOKIE ad9a14090ec90cdc and R_COOKIE 0000000000000000, because of 'No proposal is chosen' from payload PROPOSAL. 在发起端的debug信息 *Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA *Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required KEY_EXCH *Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE *Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange validate: checking for required ID *Mar 13 18:44:34:531 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing... 当ike pre-shared-key 配置有问题时发起端的debug报错信息: *Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA *Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required KEY_EXCH *Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE *Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required ID *Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange validate: checking for required AUTH *Mar 13 15:49:10:906 2012 H3C IKE/7/DEBUG: exchange run: fail to receive message 在这个阶段时 二阶段无法建立排查方法 1)当ipsec proposal 配置不一样时; 通过display ike sa 可以看到: dis ike sa total phase-1 SAs: 1 connection-id peer flag phase doi ---------------------------------------------------------- 5 34.1.1.1 RD|ST 1 IPSEC 一阶段可以正常建立。 在接收端会有报错信息: %Mar 14 09:12:08:485 2012 H3C IKE/4/IKE_PACKET_DROPPED: IKE packet dropped: (src addr: 34.1.1.2, dst addr: 23.1.1.1) with I_COOKIE 464e5c94b714eb54 and R_COOKIE c00de3cfe9e93621, because of 'No proposal is chosen' from payload PROPOSAL. 在发起端的debu信息如下: *Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange create(i): 80cbf30 *Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH *Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA *Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE *Mar 14 09:21:58:079 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing... *Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange create(r): 80d2af0 *Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange validate: checking for required INFO *Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80cbf30 *Mar 14 09:21:58:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80d2af0 *Mar 14 09:22:00:500 2012 H3C IKE/7/DEBUG: Connection name is 34.1.1.1,34.1.1.2,500,0;#h3c,1-15 *Mar 14 09:22:00:500 2012 H3C IKE/7/DEBUG: Check connection: SA for 34.1.1.1,34.1.1.2,500,0;#h3c,1-15 missing *Mar 14 09:22:00:500 2012 H3C IKE/7/DEBUG: exchange lookup : name = 34.1.1.1,34.1.1.2,500,0;#h3c,1-15 phase = 2 2)当acl配置不真确时: 在接受端报错信息如下: %Mar 14 09:25:44:906 2012 H3C IKE/4/IKE_PACKET_DROPPED: IKE packet dropped: (src addr: 34.1.1.2, dst addr: 23.1.1.1) with I_COOKIE 464e5c94b714eb54 and R_COOKIE c00de3cfe9e93621, because of 'No IPSec policy found' from payload PROPOSAL. 在发起端的debu 信息如下: *Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange create(i): 80d45f0 *Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH *Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA *Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE *Mar 14 09:32:53:079 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing... *Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange create(r): 80daf70 *Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange validate: checking for required INFO *Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80d45f0 *Mar 14 09:32:53:094 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80daf70 *Mar 14 09:32:55:485 2012 H3C IKE/7/DEBUG: Connection name is 34.1.1.1,34.1.1.2,500,0;#h3c,1-31 *Mar 14 09:32:55:485 2012 H3C IKE/7/DEBUG: Check connection: SA for 34.1.1.1,34.1.1.2,500,0;#h3c,1-31 missing *Mar 14 09:32:55:485 2012 H3C IKE/7/DEBUG: exchange lookup : name = 34.1.1.1,34.1.1.2,500,0;#h3c,1-31 phase = 2 排查到此,ipsec 配置问题已经完全结束,下面是正常建立ike时的debu信息。 *Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange create(i): 80d45f0 *Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH *Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA *Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE *Mar 14 09:34:05:344 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 0, advancing... *Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH *Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required SA *Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required NONCE *Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 1, advancing... *Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange validate: checking for required HASH *Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: exchange run(i): finished step 2, advancing... *Mar 14 09:34:05:360 2012 H3C IKE/7/DEBUG: finalize exchange: 2d010100/ffffff00 -> c010100/ffffff00 *Mar 14 09:34:38:875 2012 H3C IKE/7/DEBUG: exchange release: freeing exchange 80d45f0

哈配哈哈配 发表时间:2018-10-21

好的 谢谢我明天试一下。是不是基本可以判定是配置或者VPN设备本身的问题了

zhiliao_eQYBm 发表时间:2018-10-21

如果排查起来困难的话,可以打电话给400 ,让他们帮你排查一下

哈配哈哈配 发表时间:2018-10-21
0 个回答

该问题暂时没有网友解答

编辑答案

你正在编辑答案

如果你要对问题或其他回答进行点评或询问,请使用评论功能。

分享扩散:

提出建议

    +

亲~登录后才可以操作哦!

确定

亲~检测到您登陆的账号未在http://hclhub.h3c.com进行注册

注册后可访问此模块

跳转hclhub

你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作

举报

×

侵犯我的权益 >
对根叔社区有害的内容 >
辱骂、歧视、挑衅等(不友善)

侵犯我的权益

×

泄露了我的隐私 >
侵犯了我企业的权益 >
抄袭了我的内容 >
诽谤我 >
辱骂、歧视、挑衅等(不友善)
骚扰我

泄露了我的隐私

×

您好,当您发现根叔知了上有泄漏您隐私的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您认为哪些内容泄露了您的隐私?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)

侵犯了我企业的权益

×

您好,当您发现根叔知了上有关于您企业的造谣与诽谤、商业侵权等内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到 pub.zhiliao@h3c.com 邮箱,我们会在审核后尽快给您答复。
  • 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
  • 3. 是哪家企业?(营业执照,单位登记证明等证件)
  • 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

抄袭了我的内容

×

原文链接或出处

诽谤我

×

您好,当您发现根叔知了上有诽谤您的内容时,您可以向根叔知了进行举报。 请您把以下内容通过邮件发送到pub.zhiliao@h3c.com 邮箱,我们会尽快处理。
  • 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
  • 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
我们认为知名企业应该坦然接受公众讨论,对于答案中不准确的部分,我们欢迎您以正式或非正式身份在根叔知了上进行澄清。

对根叔社区有害的内容

×

垃圾广告信息
色情、暴力、血腥等违反法律法规的内容
政治敏感
不规范转载 >
辱骂、歧视、挑衅等(不友善)
骚扰我
诱导投票

不规范转载

×

举报说明