与fortigate 100d 组IPsec VPN 报错信息如下,应该怎么配置?
不明白dst的是什么地址,根本没配置过这地址。
Process
SA payload.
*Jan 29 21:59:19:954 2019 H3C IKE/7/PACKET: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
Check ISAKMP transform 1.
*Jan 29 21:59:19:954 2019 H3C IKE/7/PACKET: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
Lifetime type is 1.
*Jan 29 21:59:19:954 2019 H3C IKE/7/PACKET: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
Life duration is 28800.
*Jan 29 21:59:19:954 2019 H3C IKE/7/PACKET: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
Encryption algorithm is 3DES-CBC.
*Jan 29 21:59:19:954 2019 H3C IKE/7/PACKET: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
Authentication method is Pre-shared key.
*Jan 29 21:59:19:954 2019 H3C IKE/7/PACKET: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
HASH algorithm is HMAC-SHA1.
*Jan 29 21:59:19:954 2019 H3C IKE/7/PACKET: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
DH group is 2.
*Jan 29 21:59:19:954 2019 H3C IKE/7/EVENT: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
Pre-shared key matching address 101.95.170.98 not found.
*Jan 29 21:59:19:954 2019 H3C IKE/7/ERROR: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
No acceptable transform.
*Jan 29 21:59:19:954 2019 H3C IKE/7/ERROR: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
Failed to parse the IKE SA payload.
*Jan 29 21:59:19:954 2019 H3C IKE/7/PACKET: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
Construct notification packet: NO_PROPOSAL_CHOSEN.
*Jan 29 21:59:19:954 2019 H3C IKE/7/PACKET: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
Sending packet to 101.95.170.98 remote port 500, local port 500.
*Jan 29 21:59:19:954 2019 H3C IKE/7/PACKET: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
I-COOKIE: 6f2c8c487cb284b4
R-COOKIE: 0000000000000000
next payload: NOTIFY
version: ISAKMP Version 1.0
exchange mode: Info
flags:
message ID: 0
length: 56
*Jan 29 21:59:19:954 2019 H3C IKE/7/PACKET: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
Sending an IPv4 packet.
*Jan 29 21:59:19:955 2019 H3C IKE/7/EVENT: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
Sent data to socket successfully.
*Jan 29 21:59:19:955 2019 H3C IKE/7/ERROR: vrf = 0, src = 180.155.122.133, dst = 101.95.170.98/500
Failed to negotiate IKE SA.
<H3C>dis current-configuration
#
version 7.1.064, Release 9510P06
#
sysname H3C
#
context Admin id 1
#
telnet server enable
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
nat address-group 1 name ÉÏÍøIP
#
dhcp enable
dhcp server forbidden-ip 172.16.1.1
dhcp server forbidden-ip 172.16.1.2
dhcp server forbidden-ip 172.16.1.3
dhcp server forbidden-ip 172.16.1.4
dhcp server forbidden-ip 172.16.1.5
dhcp server forbidden-ip 172.16.1.6
dhcp server forbidden-ip 172.16.1.7
dhcp server forbidden-ip 172.16.1.8
dhcp server forbidden-ip 172.16.1.9
dhcp server forbidden-ip 172.16.1.10
dhcp server forbidden-ip 172.16.1.11
dhcp server forbidden-ip 172.16.1.12
dhcp server forbidden-ip 172.16.1.13
dhcp server forbidden-ip 172.16.1.14
dhcp server forbidden-ip 172.16.1.15
dhcp server forbidden-ip 172.16.1.16
dhcp server forbidden-ip 172.16.1.17
dhcp server forbidden-ip 172.16.1.18
dhcp server forbidden-ip 172.16.1.20
dhcp server forbidden-ip 172.16.1.21
dhcp server forbidden-ip 172.16.1.22
dhcp server forbidden-ip 172.16.1.23
dhcp server forbidden-ip 172.16.1.24
dhcp server forbidden-ip 172.16.1.25
dhcp server forbidden-ip 172.16.1.26
dhcp server forbidden-ip 172.16.1.27
dhcp server forbidden-ip 172.16.1.28
dhcp server forbidden-ip 172.16.1.29
dhcp server forbidden-ip 172.16.1.30
dhcp server forbidden-ip 172.16.1.31
dhcp server forbidden-ip 172.16.1.32
dhcp server forbidden-ip 172.16.1.33
dhcp server forbidden-ip 172.16.1.34
dhcp server forbidden-ip 172.16.1.35
dhcp server forbidden-ip 172.16.1.36
dhcp server forbidden-ip 172.16.1.37
dhcp server forbidden-ip 172.16.1.38
dhcp server forbidden-ip 172.16.1.39
dhcp server forbidden-ip 172.16.1.40
dhcp server forbidden-ip 172.16.1.41
dhcp server forbidden-ip 172.16.1.42
dhcp server forbidden-ip 172.16.1.43
dhcp server forbidden-ip 172.16.1.44
dhcp server forbidden-ip 172.16.1.45
dhcp server forbidden-ip 172.16.1.46
dhcp server forbidden-ip 172.16.1.47
dhcp server forbidden-ip 172.16.1.48
dhcp server forbidden-ip 172.16.1.49
dhcp server forbidden-ip 172.16.1.50
dhcp server forbidden-ip 172.16.1.189
#
password-recovery enable
#
vlan 1
#
object-group ip address 172.16.45.0
#
object-group ip address 172.17.1.0
#
dhcp server ip-pool Users
gateway-list 172.16.1.1
network 172.16.1.0 mask 255.255.255.0
dns-list 202.96.209.5 202.96.209.133
#
interface NULL0
#
interface Vlan-interface1
ip address dhcp-alloc
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
combo enable copper
ip address 180.155.122.133 255.255.255.248
nat inbound 2000 address-group 1 no-pat
nat outbound 2000
ipsec apply policy GE1/0/1
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
object-policy ip Any-Any
rule 0 pass
#
security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet1/0/3
#
security-zone name DMZ
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
zone-pair security source Any destination Any
object-policy apply ip Any-Any
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 4
authentication-mode scheme
user-role network-operator
#
line vty 5 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 222.72.38.89
ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 180.155.122.134
#
ssh server enable
#
acl basic 2000
rule 0 permit
#
acl advanced name IPsec_GE1/0/1_IPv4_1
rule 1 permit ip source 172.16.1.0 0.0.0.255 destination 172.16.45.0 0.0.0.255
rule 2 permit ip source 172.16.45.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$qjPPN+fk9eRPEEzw$j33KT873YXSuFn31t7hXNaZGNQiC1NIk54X+Z8wXQLD3egouKAn3zZt0x8SAMILnJhMrpI7xgT+f9f3nsl8pCQ==
service-type ssh telnet terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set GE1/0/1_IPv4_1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm sha1
pfs dh-group2
#
ipsec policy GE1/0/1 1 isakmp
transform-set GE1/0/1_IPv4_1
security acl name IPsec_GE1/0/1_IPv4_1
local-address 180.155.122.133
remote-address 116.239.16.209
ike-profile GE1/0/1_IPv4_1
sa duration time-based 28800
#
ike profile GE1/0/1_IPv4_1
keychain GE1/0/1_IPv4_1
local-identity address 180.155.122.133
match remote identity address 116.239.16.209 255.255.255.0
match local address GigabitEthernet1/0/1
proposal 65535
#
ike proposal 65535
encryption-algorithm 3des-cbc
dh group2
sa duration 28800
description GE1/0/1_IPv4_1
#
ike keychain GE1/0/1_IPv4_1
match local address GigabitEthernet1/0/1
pre-shared-key address 116.239.16.209 255.255.255.0 key cipher $c$3$kQzwjR67VpWjQ9aI2HO0MUkJMy2LeCadHg==
#
ip https enable
#
inspect block-source parameter-profile ips_block_default_parameter
#
inspect block-source parameter-profile url_block_default_parameter
#
inspect capture parameter-profile ips_capture_default_parameter
#
inspect redirect parameter-profile av_redirect_default_parameter
#
inspect redirect parameter-profile ips_redirect_default_parameter
#
inspect redirect parameter-profile url_redirect_default_parameter
#
ips block-source parameter-profile ips_block_default_parameter
#
return
(0)
最佳答案
把没用的路由删掉
undo ip route-static 0.0.0.0 0 GigabitEthernet1/0/1 180.155.122.134
ipsec数据不要做nat
acl advanced 3999
rule deny ip source 172.16.1.0 0.0.0.255 destination 172.16.45.0 0.0.0.255
rule deny ip source 172.16.45.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
rule permit ip
quit
interface GigabitEthernet1/0/1 //此修改会导致内网中断,谨慎操作
undo nat inbound 2000 address-group 1 no-pat
undo nat outbound 2000
nat outbound 3999
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论